The Object Injection vulnerability in WordPress (CVE-2022-21663) is a code vulnerability that enables attackers to inject PHP objects of arbitrary types into the application, which can then tamper with the application's logic at runtime. The vulnerability was discovered and reported by a security researcher who found an asymmetry between two functions in the WordPress core. This vulnerability was fixed with version 5.8.3, but it highlights the importance of careful consideration when handling and interpreting data in software applications to prevent similar issues. The vulnerability can be exploited if a malicious super-admin gains access to a multi-site WordPress installation by exploiting a Cross-Site-Scripting vulnerability or installing a malicious plugin. The vulnerability is particularly concerning because it allows an attacker to run any database upgrade scripts, including those that operate on controllable data, such as option values and meta-data associated with users and posts. This gives the attacker access to an interesting attack surface in the WordPress core.