WordPress CMS installations are vulnerable to a PHP bug related to data deserialization (also known as unserialization), a security researcher has revealed at the start of the month.
The bug has been reported to the WordPress team on February 28, 2017, but has remained unfixed to this day, more than a year and a half after the first report.
Vulnerability is in PHP, not WordPress per-se
The issue doesn't affect WordPress only —the Internet's most widespread CMS— but all PHP-based applications and libraries that handle user-supplied data.
The vulnerability is in the way PHP converts PHP objects (raw data) into strings and back into PHP objects again. This process is called serialization and deserialization, respectively, and is used in all programming languages to move data between different servers, services, or apps.