Description
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw in the Anti‑Malware Security and Brute‑Force Firewall plugin for WordPress. An attacker can supply crafted data that is unserialized by the plugin, enabling execution of arbitrary code on the server. This weakness is classified as CWE‑502 and can compromise confidentiality, integrity, and availability of the hosting environment.

Affected Systems

Affected products are the WordPress Anti‑Malware Security and Brute‑Force Firewall plugin by Eli Scheetz. Versions 4.23.87 and earlier are impacted; any deployment using these releases is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high risk level. EPSS is below 1 %, implying a low probability of exploitation in the wild; the issue is not in the CISA KEV catalog. The likely attack path involves an attacker sending a crafted HTTP request that includes serialized PHP data to the plugin’s endpoints. This inference is based on the nature of PHP Object Injection and typical WordPress plugin handling, as the CVE description does not explicitly state the access vector.

Generated by OpenCVE AI on June 17, 2026 at 23:01 UTC.

Remediation

Vendor Solution

Update the WordPress Anti-Malware Security and Brute-Force Firewall Plugin to the latest available version (at least 4.23.88).


OpenCVE Recommended Actions

  • Update the plugin to version 4.23.88 or later as per vendor recommendation.
  • If an update cannot be applied immediately, temporarily disable the plugin to block further exploitation attempts.
  • Restrict unauthenticated access to the plugin’s processing URLs by configuring web server rules or WordPress capabilities, thereby limiting the attack surface for object injection.

Generated by OpenCVE AI on June 17, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Eli Scheetz
Eli Scheetz anti-malware Security And Brute-force Firewall
Wordpress
Wordpress wordpress
Vendors & Products Eli Scheetz
Eli Scheetz anti-malware Security And Brute-force Firewall
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
Title WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.23.87 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Eli Scheetz Anti-malware Security And Brute-force Firewall
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:36:54.641Z

Reserved: 2026-04-07T10:42:07.235Z

Link: CVE-2026-39478

cve-icon Vulnrichment

Updated: 2026-06-16T12:36:50.554Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:44.220

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:40Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data