[wp-trac] [WordPress Trac] #62483: maybe_serialize() does support double serialization, but does not inform the developer if doing so
WordPress Trac
noreply at wordpress.org
Mon Feb 23 14:32:02 UTC 2026
#62483: maybe_serialize() does support double serialization, but does not inform
the developer if doing so
-------------------------+-----------------------------
Reporter: apermo | Owner: audrasjb
Type: enhancement | Status: reviewing
Priority: normal | Milestone: Future Release
Component: General | Version: 3.6.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-------------------------+-----------------------------
Comment (by apermo):
I've reviewed my old tickets, and did some further research on this using
Claude Code.
My concern on WPCS is true, WPCS can detect `wp_update_post( 1, 'key',
serialize( $data ) )` but not if the serialization happened outside.
I will create a custom PHPStan rule, which will be available on my github
and probably via packagist, yet I still think this should be covered in
core as well.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62483#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list