PT-2026-40565 · WordPress · Coreactivity: Activity Logging

Published

2026-05-13

·

Updated

2026-05-17

·

CVE-2026-7635

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions coreActivity: Activity Logging for WordPress versions prior to 3.1
Description The plugin is susceptible to PHP Object Injection, a condition where untrusted data is passed to a deserialization function, potentially allowing the execution of arbitrary code or causing application crashes. The issue occurs because the software fails to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table. Subsequently, the query metas() function calls maybe unserialize() on every retrieved meta value without verifying the data source. Unauthenticated attackers can inject a crafted PHP serialized payload via the User-Agent header during logged events. When an administrator accesses the Logs page, this payload is passed to the DeviceDetector::setUserAgent() function, triggering a Fatal TypeError that results in a persistent Denial of Service, blocking administrator access to the Logs page.
Recommendations Update to a version later than 3.0.

Exploit

Fix

DoS

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7635

Affected Products

Coreactivity: Activity Logging