CVE-2026-2471

Name of the Vulnerable Software and Affected Versions WP Mail Logging versions prior to 1.15.1

Description The WP Mail Logging plugin for WordPress is susceptible to PHP Object Injection in versions up to and including 1.15.0. This occurs due to the deserialization of untrusted input from the email log message field. The BaseModel class constructor uses maybe unserialize() on database properties without proper validation, allowing attackers to inject a PHP Object through a double-serialized payload. This payload can be submitted through any public-facing form that sends email, such as Contact Form 7. When an administrator views the logged email, the malicious payload is deserialized. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed, which could allow actions like file deletion, data retrieval, or code execution.

Recommendations Update WP Mail Logging to version 1.15.1 or later.