Insecure Deserialization is a vulnerability which occurs when some untrusted data is used to abuse the logic of the application and inflicting a denial of service (DoS) or even remote code execution.
php forum uses object serialization to save a “super” cookie containing the user’s user ID, role, password hash, and other states:-
An attacker changes the serialized object and give themselves admin privileges:-
Insecure Deserialization flaws can lead to remote code execution attacks. which is one of the most serious attack.