Impact
Unauthenticated PHP Object Injection in WP Activity Log plugin versions 5.6.3.1 and earlier allows an attacker to send serialized payloads that PHP will unserialize, potentially leading to arbitrary code execution, data tampering, or privilege escalation. The flaw is a classic object injection weakness (CWE-502) and, given the high CVSS score of 9.8, can compromise the confidentiality, integrity, and availability of the affected WordPress site.
Affected Systems
All WordPress sites that have installed the Melapress WP Activity Log plugin at version 5.6.3.1 or earlier are impacted. The vulnerability is present until the plugin is updated to at least version 5.6.4. No additional components are mentioned, so any installation that can receive serialized data through the plugin is vulnerable.
Risk and Exploitability
The CVSS base score of 9.8 places the flaw in the critical range, and while the EPSS score is not available, the unauthenticated nature of the attack vector means any visitor can trigger exploitation by sending a crafted request. The vulnerability is not listed in the CISA KEV catalog, but its high severity and lack of mitigation make it a high-priority risk.
OpenCVE Enrichment