Commit 52cc87c709a for woocommerce

commit 52cc87c709a5291bb136c525d16a92b2b7615c3c
Author: XananasX <cihbank069@gmail.com>
Date:   Tue Jun 16 09:49:56 2026 +0100

    add allowed_classes => false to unserialize() in LookupDataStore (#65426)

diff --git a/plugins/woocommerce/changelog/65426-security-unserialize-allowed-classes b/plugins/woocommerce/changelog/65426-security-unserialize-allowed-classes
new file mode 100644
index 00000000000..e04146044d8
--- /dev/null
+++ b/plugins/woocommerce/changelog/65426-security-unserialize-allowed-classes
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Security hardening: pass allowed_classes => false to unserialize() in LookupDataStore to prevent PHP Object Injection via crafted cached data.
diff --git a/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php b/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php
index 66322ef8e9c..4d0160a30ba 100644
--- a/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php
+++ b/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php
@@ -923,7 +923,7 @@ class LookupDataStore {
 		}

 		// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize
-		$temp = unserialize( $temp );
+		$temp = unserialize( $temp, array( 'allowed_classes' => false ) );
 		if ( false === $temp ) {
 			throw new \WC_Data_Exception( 0, 'The product attributes metadata row is not properly serialized' );
 		}