Description
The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This makes it possible for unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header during any logged event (such as a failed login attempt), which, when an administrator views the Logs page, is deserialized and passed to `DeviceDetector::setUserAgent()`, triggering a Fatal TypeError that creates a persistent Denial of Service condition blocking administrator access to the Logs page entirely.
Published: 2026-05-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The coreActivity plugin for WordPress stores the raw User‑Agent HTTP header in the logmeta table without sanitization. A malicious actor can send a specially crafted PHP serialized payload in the User‑Agent header during any event that the plugin logs. When an administrator later views the Logs page, the plugin unserializes the stored meta_value and passes it to DeviceDetector::setUserAgent(). The unserialized payload triggers a Fatal TypeError, causing the Logs page to fail permanently and preventing administrators from accessing it, effectively creating a persistent Denial of Service.

Affected Systems

The vulnerability affects the coreActivity Activity Logging plugin for WordPress, all released versions up to and including 3.0. Users of these versions should verify their installed plugin version and be aware that the plugin is responsible for logging activity data.

Risk and Exploitability

The CVSS score for this issue is 8.1, indicating a high severity level. The EPSS score is not available, so the current exploit probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers do not need authentication; they only need to send a crafted User‑Agent header to any HTTP request that triggers the plugin’s logging. Since the malicious payload causes an error when an admin accesses the logs, the impact is localized to the administrative interface rather than the entire server.

Generated by OpenCVE AI on May 13, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade coreActivity to the latest stable release (>=3.1), which removes the unsanitized deserialization logic.
  • Configure your web server or security appliance to strip or validate PHP serialized data from User‑Agent headers before they reach WordPress, or block non‑standard User‑Agent strings from logged events.
  • Disable or modify the coreActivity logging of the User‑Agent field, or alternatively use a plugin that sanitizes this data, to prevent the stored value from containing malicious serialized objects.

Generated by OpenCVE AI on May 13, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Gdragon
Gdragon coreactivity: Activity Logging For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Gdragon
Gdragon coreactivity: Activity Logging For Wordpress
Wordpress
Wordpress wordpress

Wed, 13 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This makes it possible for unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header during any logged event (such as a failed login attempt), which, when an administrator views the Logs page, is deserialized and passed to `DeviceDetector::setUserAgent()`, triggering a Fatal TypeError that creates a persistent Denial of Service condition blocking administrator access to the Logs page entirely.
Title coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gdragon Coreactivity: Activity Logging For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T10:22:54.152Z

Reserved: 2026-05-01T15:23:35.095Z

Link: CVE-2026-7635

cve-icon Vulnrichment

Updated: 2026-05-13T10:19:03.402Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T05:16:24.737

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-7635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:34:54Z

Weaknesses