PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. In order to successfully exploit a vulnerability two conditions must be met: The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a POP chain”]
Source: https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection