megamenu

{
    "slug": "megamenu",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.8.1",
    "hit_count": 2,
    "first_hit": {
        "file": "classes/scss/1.11.1/src/Cache.php",
        "line": 136,
        "snippet": "L135: $c = file_get_contents($fileCache);  \u2192  L136: $c = unserialize($c);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak."
}

{
    "slug": "megamenu",
    "previous_version": "3.8.1",
    "current_version": "3.8.1",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "classes/scss/1.11.1/src/Cache.php",
            "line": 136,
            "snippet": "L135: $c = file_get_contents($fileCache);  \u2192  L136: $c = unserialize($c);",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "classes/scss/0.0.12/scss.inc.php",
            "line": 4352,
            "snippet": "L4352: $imports = unserialize(file_get_contents($icache));  \u2192  L4352: $imports = unserialize(file_get_contents($icache));",
            "confidence": "high"
        }
    ],
    "new_finding_count": 2
}