Is PHP unserialize() exploitable without any 'interesting' methods?

Say that there was a publicly accessible web page with the following PHP code:

<?php
class NotInteresting
{
    public function noExploits() {
        echo "Whatever.";
    }
}
$unsafe = unserialize($_GET['data']);
$unsafe->noExploits();
?>

The code would expect the data URL parameter to contain a serialized instance of NotInteresting, but of course the data parameter can be manipulated. When unserialize() is used on user supplied data it often leads to PHP Object Injection.

However, all the examples of PHP Object Injection I have seen so far (1,2,3) have been dangerous for one of two reasons:

1. There were some exploitable classes with dangerous methods (which were only meant to be called internally) which were leveraged to execute arbitrary code, often the case for a CMS.


2. The version of PHP was old or outdated and vulnerabilities in the PHP code were exploited.

Given that the PHP version is current - that is, no known vulnerabilities exist in the unserialize() function - and that there are no custom classes defined (just the default ones - Exception, stdClass etc.), is it possible to leverage the above code for a successful attack on a default PHP installation?