Pull Request resolves #

• I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This PR adds allowed_classes allowlists to all six unserialize() calls in the Joomla WebAuthn plugins (plg_system_webauthn and plg_multifactorauth_webauthn).

Without allowed_classes, PHP's unserialize() will instantiate any autoloaded class if an attacker can control the session value. The WebAuthn session keys (session.webauthn.pkRequests, session.webauthn.pkRegistration) store Base64-encoded serialized PublicKeyCredential*Options objects — an attacker who can write to the session backend (e.g., via session fixation or a compromised session store) can trigger PHP Object Injection.

Fix: Restrict deserialization to only the expected webauthn-lib classes.

Testing Instructions

1. Apply the patch.
2. Confirm normal WebAuthn authentication and registration still works end-to-end.
3. Optionally: craft a serialized object payload for the session key and confirm it is rejected with a PHP warning (returns false).

Actual result BEFORE applying this Pull Request

unserialize() in WebAuthn plugin session handling has no allowed_classes restriction — any autoloaded PHP class can be instantiated from a controlled session value.

Expected result AFTER applying this Pull Request

unserialize() is restricted to only the specific WebAuthn library classes that legitimately appear in these session values.

Link to documentations

• No documentation changes for guide.joomla.org needed
• No documentation changes for manual.joomla.org needed