CVE-2026-7635 HIGH

CVE-2026-7635: coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field

Vendor Gdragon
Product coreActivity: Activity Logging for WordPress
Weakness CWE-502 · Unsafe deserialization
Published May 13, 2026
Last update May 13, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This makes it possible for unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header during any logged event (such as a failed login attempt), which, when an administrator views the Logs page, is deserialized and passed to `DeviceDetector::setUserAgent()`, triggering a Fatal TypeError that creates a persistent Denial of Service condition blocking administrator access to the Logs page entirely.

Explanation of Vulnerability in Simple Terms

02Summary

The coreActivity plugin for WordPress improperly deserializes untrusted data, allowing an attacker to execute arbitrary PHP code on the site. The vulnerability affects versions 0 through 3.0. No authentication is required, but the attack requires specific conditions to be met. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site and take full control of it.

Potential impact on your site

04Site Impact

Complete compromise of the WordPress installation, including data theft, malware injection, and site defacement.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication required, but attack complexity is high.

Key dates

06Disclosure timeline

May 13, 2026 CVE published
May 13, 2026 Record updated

Related vulnerabilities

08Related CVE