{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/coreactivity-activity-logging-for-wordpress-plugin--3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7635"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["coreActivity: Activity Logging for WordPress plugin \u003c= 3.0"],"_cs_severities":["medium"],"_cs_tags":["cve","wordpress","php object injection","denial of service"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe coreActivity: Activity Logging for WordPress plugin, a WordPress plugin, is susceptible to a PHP Object Injection vulnerability (CVE-2026-7635) affecting all versions up to and including 3.0. This flaw arises because the plugin fails to properly validate or sanitize PHP serialization syntax present within the User-Agent HTTP header before persisting it to the logmeta table. Subsequently, the plugin invokes \u003ccode\u003emaybe_unserialize()\u003c/code\u003e on every retrieved \u003ccode\u003emeta_value\u003c/code\u003e in \u003ccode\u003equery_metas()\u003c/code\u003e without ensuring the data\u0026rsquo;s original serialization by the application. This critical oversight enables unauthenticated attackers to inject malicious PHP serialized payloads via the User-Agent header during any logged event. This can occur during routine actions such as a failed login attempt. When an administrator accesses the Logs page, the injected payload undergoes deserialization and is passed to \u003ccode\u003eDeviceDetector::setUserAgent()\u003c/code\u003e, triggering a Fatal TypeError. This results in a persistent Denial of Service (DoS) condition, effectively preventing administrator access to the Logs page.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends an HTTP request to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the User-Agent header to contain a malicious PHP serialized object.\u003c/li\u003e\n\u003cli\u003eThe coreActivity plugin logs the HTTP request, including the tainted User-Agent string, storing it in the \u003ccode\u003elogmeta\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eAn administrator attempts to view the activity logs via the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s \u003ccode\u003equery_metas()\u003c/code\u003e function retrieves the stored User-Agent string from the database.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaybe_unserialize()\u003c/code\u003e function is called on the retrieved User-Agent string, deserializing the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe deserialized object is passed to the \u003ccode\u003eDeviceDetector::setUserAgent()\u003c/code\u003e, triggering a Fatal TypeError.\u003c/li\u003e\n\u003cli\u003eThe Fatal TypeError prevents the administrator from accessing the Logs page, resulting in a persistent Denial-of-Service (DoS) condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-7635) results in a persistent Denial of Service (DoS) condition, preventing administrators from accessing the activity logs page. This could hinder security monitoring and incident response efforts, giving attackers more time to conduct malicious activities. The vulnerability impacts all WordPress sites using the coreActivity plugin versions 3.0 and below. A CVSS v3.1 base score of 8.1 reflects the high potential for disruption and impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the coreActivity: Activity Logging for WordPress plugin to a version greater than 3.0 to patch CVE-2026-7635.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-7635 Exploitation Attempt via Malicious User-Agent\u0026rdquo; to detect attempts to inject malicious PHP serialized objects via the User-Agent header.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious User-Agent strings containing PHP serialization syntax to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:50:39Z","date_published":"2026-05-13T15:50:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-coreactivity-php-injection/","summary":"The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-7635), allowing unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header, leading to a persistent Denial of Service condition.","title":"coreActivity: Activity Logging for WordPress Plugin Vulnerable to PHP Object Injection (CVE-2026-7635)","url":"https://feed.craftedsignal.io/briefs/2026-05-coreactivity-php-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — CoreActivity: Activity Logging for WordPress Plugin \u003c= 3.0","version":"https://jsonfeed.org/version/1.1"}