wp search-replace calls PHP's unserialize() on data retrieved from the database to perform replacements within serialized structures. Currently, this call does not restrict which classes can be instantiated (i.e., it does not use the [ 'allowed_classes' => false ] option introduced in PHP 7.0).
As a hardening measure, we set [ 'allowed_classes' => false ] by default but will add a WP-CLI filter hook (WP_CLI::do_hook()) to allow customizing this if needed.
This approach prevents magic methods from executing by default but still provides a way for users with legitimate needs to maintain their workflow via the override mechanism.
wp search-replacecalls PHP'sunserialize()on data retrieved from the database to perform replacements within serialized structures. Currently, this call does not restrict which classes can be instantiated (i.e., it does not use the[ 'allowed_classes' => false ]option introduced in PHP 7.0).As a hardening measure, we set
[ 'allowed_classes' => false ]by default but will add a WP-CLI filter hook (WP_CLI::do_hook()) to allow customizing this if needed.This approach prevents magic methods from executing by default but still provides a way for users with legitimate needs to maintain their workflow via the override mechanism.