Merge pull request #403 from InstaWP/86cxc2djx-fix-pop-chain-vulnerability

Fixed secured unserialized data handling

Author: iamsayan

docs/readme.txt

@@ -46,6 +46,9 @@ When writing your search string, make sure to wrap your search in forward slashe
 
 == Changelog ==
 
+= 2.6.7 ( beta) =
+* Fixed secured unserialized data handling to prevent potential vulnerabilities.
+
 = 2.6.6 (2024-08-21) =
 * Fixed missing URL input sanitization.
 * Verified compatibility with WordPress 6.6

includes/Extension/SearchReplace/Replace/class-sql.php

@@ -166,8 +166,14 @@ public function get_edit_url() {
 	 */
 	public function recursive_unserialize_replace( $from = '', $to = '', $data = '', $serialised = false ) {
 		// Some unserialised data cannot be re-serialised eg. SimpleXMLElements.
+		global $wpdb;
+		
 		try {
-			$unserialized = @unserialize( $data );
+			$unserialized = false;
+			if ( ! empty( $data ) && ( $wpdb->prefix . 'comments' !== $this->table_name || 'comment_content' !== $this->column_name ) && is_serialized( $data ) ) {
+				$unserialized = @unserialize( $data, array( 'allowed_classes' => false ) );
+			}
+			
 			if ( is_string( $data ) && false !== $unserialized ) {
 				$data = $this->recursive_unserialize_replace( $from, $to, $unserialized, true );
 			} elseif ( is_array( $data ) ) {