Merge pull request #403 from InstaWP/86cxc2djx-fix-pop-chain-vulnerab…

…ility Fixed secured unserialized data handling
InstaWP · Jan 15, 2025 · 394f034 · 394f034
2 parents fec77f9 + b5debbf
commit 394f034
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/docs/readme.txt b/docs/readme.txt
@@ -46,6 +46,9 @@ When writing your search string, make sure to wrap your search in forward slashe
 
 == Changelog ==
 
+= 2.6.7 ( beta) =
+* Fixed secured unserialized data handling to prevent potential vulnerabilities.
+
 = 2.6.6 (2024-08-21) =
 * Fixed missing URL input sanitization.
 * Verified compatibility with WordPress 6.6

diff --git a/includes/Extension/SearchReplace/Replace/class-sql.php b/includes/Extension/SearchReplace/Replace/class-sql.php
@@ -166,8 +166,14 @@ public function get_edit_url() {
 	 */
 	public function recursive_unserialize_replace( $from = '', $to = '', $data = '', $serialised = false ) {
 		// Some unserialised data cannot be re-serialised eg. SimpleXMLElements.
+		global $wpdb;
+
 		try {
-			$unserialized = @unserialize( $data );
+			$unserialized = false;
+			if ( ! empty( $data ) && ( $wpdb->prefix . 'comments' !== $this->table_name || 'comment_content' !== $this->column_name ) && is_serialized( $data ) ) {
+				$unserialized = @unserialize( $data, array( 'allowed_classes' => false ) );
+			}
+
 			if ( is_string( $data ) && false !== $unserialized ) {
 				$data = $this->recursive_unserialize_replace( $from, $to, $unserialized, true );
 			} elseif ( is_array( $data ) ) {