The shopping cart application contains a PHP object-injection bug.