Skip to main content

WP Activity Log EUVD-2026-37642

| CVE-2026-54806 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Wp Activity Log
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable PHP object injection in a WordPress plugin yields RCE-class impact: AV:N, AC:L, PR:N, UI:N, and full C/I/A High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:51 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.

AnalysisAI

Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running WP Activity Log ≤5.6.3.1
Delivery
Craft serialized PHP object using known gadget chain
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Execution
Plugin deserializes attacker payload
Persist
Magic methods trigger gadget chain
Impact
Achieve RCE or file/database compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the WP Activity Log plugin (slug wp-security-audit-log) installed and active at version 5.6.3.1 or earlier, with the vulnerable deserialization endpoint reachable over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to a genuine high-severity issue: CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means it is reachable over the network at low complexity with no authentication or user interaction, and CIA impact is High across the board. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP request to a WP Activity Log endpoint that passes user input into unserialize(), embedding a serialized PHP object designed to trigger a POP gadget chain from WordPress core or another installed plugin. When the plugin deserializes the payload, the chained magic methods execute, leading to arbitrary file write, SQL execution, or PHP code execution depending on the gadget available on the target site. …
Remediation Upstream fix available per the Patchstack advisory; a specific patched release version is not independently confirmed in the input data, so administrators should upgrade WP Activity Log to the latest version newer than 5.6.3.1 published by Melapress and verify the changelog references this PHP object injection fix (advisory: https://patchstack.com/database/wordpress/plugin/wp-security-audit-log/vulnerability/wordpress-wp-activity-log-plugin-5-6-3-1-php-object-injection-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: disable and uninstall WP Activity Log plugin from all WordPress installations; verify removal via admin plugins list. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37642 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy