The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the
unserialize()
PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize()
call, resulting in an arbitrary PHP object injection into the application scope.