

WordPress before 3.6.1: PHP Object Injection - tomvangoethem
http://vagosec.org/2013/09/wordpress-php-object-injection/

======
JiJadiJade
This is pretty a lengthy read and if I follow it correctly, then the actual
problem has not been fixed? So Wordpress is still not able to differ between
injected serialized data (which is dangerous as the PHP manual states as well)
and that data it serialized on it's own, right?

~~~
darkotic
The article says it has been fixed in 3.6.1.

