[wp-trac] [WordPress Trac] #64646: Vulnerability in /public/wp-includes/sodium_compat/composer.json.
WordPress Trac
noreply at wordpress.org
Mon Feb 16 11:48:51 UTC 2026
#64646: Vulnerability in /public/wp-includes/sodium_compat/composer.json.
-------------------------------+-----------------------------
Reporter: artsiomreutovich | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.9.1
Severity: critical | Keywords: needs-patch
Focuses: php-compatibility |
-------------------------------+-----------------------------
Please check GH report regarding vulnerable package
**Overview**
A vulnerability has been discovered involving unsafe deserialization of
code coverage data in PHPT test execution. The vulnerability exists in the
cleanupForCoverage() method, which deserializes code coverage files
without validation, potentially allowing remote code execution if
malicious .coverage files are present prior to the execution of the PHPT
test.
**Technical Details**
Affected Component: PHPT test runner, method cleanupForCoverage()
Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7
**
Vulnerable Code Pattern**
if ($buffer !== false) {
// Unsafe call without restrictions
$coverage = @unserialize($buffer);
}
The vulnerability occurs when a .coverage file, which should not exist
before test execution, is deserialized without the allowed_classes
parameter restriction. An attacker with local file write access can place
a malicious serialized object with a __wakeup() method into the file
system, leading to arbitrary code execution during test runs with code
coverage instrumentation enabled.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64646>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list