PT-2026-40565 · WordPress · Coreactivity: Activity Logging
Published
2026-05-13
·
Updated
2026-05-17
·
CVE-2026-7635
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
coreActivity: Activity Logging for WordPress versions prior to 3.1
Description
The plugin is susceptible to PHP Object Injection, a condition where untrusted data is passed to a deserialization function, potentially allowing the execution of arbitrary code or causing application crashes. The issue occurs because the software fails to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the
logmeta table. Subsequently, the query metas() function calls maybe unserialize() on every retrieved meta value without verifying the data source. Unauthenticated attackers can inject a crafted PHP serialized payload via the User-Agent header during logged events. When an administrator accesses the Logs page, this payload is passed to the DeviceDetector::setUserAgent() function, triggering a Fatal TypeError that results in a persistent Denial of Service, blocking administrator access to the Logs page.Recommendations
Update to a version later than 3.0.
Exploit
Fix
DoS
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coreactivity: Activity Logging