How Serialized Cookies Led to RCE on a WordPress Website

This report documents an insecure deserialization vulnerability in Nextcloud's WordPress custom theme where a cookie (nc_form_fields) was base64-decoded and passed to PHP unserialize(), enabling RCE via gadget chains such as Monolog's FingersCrossedHandler; the issue was responsibly disclosed and patched by replacing unserialize with json_decode.