PHP Object Injection or POI is a vulnerability which allows an attacker to modify a PHP object in such a way that the application flow changes, this in turn results in different outcomes such as remote code execution, directory traversal, and so on. The main culprit responsible for this is user-supplied input getting passed to an
unserialize() function call which allows the supplied code to be executed. The situation is in fact so dire that the official PHP documentation for
unserialize() mentions the following warning:
Do not pass untrusted user input to
unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. ...