wordpress is vulnerable to PHP object injection. The vulnerability exists in the wp_get_attachment_thumb_file
function in wp-includes/post.php
because the attack can be triggered by inputting manipulated metadata. in the wp_get_attachment_thumb_file function in wp-includes/post.php