Security researcher from Secarma has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions. The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3. An attacker can even exploit this vulnerability using a JPEG image, originally a Phar archive converted into valid JPEG by modifying its first 100 bytes. In a detailed paper released at Black Hat conference last week, Thomas demonstrated how this attack can be executed against WordPress sites using an author account.
Source: https://thehackernews.com/2018/08/php-deserialization-wordpress.html