CVE-2026-7635: PHP Object Injection in WordPress Activity Logging
Platform
wordpress
Component
coreactivity
Fixed in
3.1
CVE-2026-7635 describes a PHP Object Injection vulnerability discovered in the coreActivity: Activity Logging plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious PHP code, potentially leading to remote code execution and complete compromise of the WordPress site. The vulnerability affects versions 0.0 through 3.0 and has been resolved in version 3.1, released on May 13, 2026.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The impact of this vulnerability is significant. An attacker can inject a serialized PHP object via the User-Agent HTTP header, which is then stored and later unserialized by the plugin. Successful exploitation allows for arbitrary code execution on the server hosting the WordPress site. This could lead to data breaches, website defacement, malware installation, and complete system takeover. The attacker does not need to authenticate, making it a highly accessible vulnerability. The ability to execute arbitrary code grants the attacker full control over the affected WordPress instance, potentially impacting all connected systems and data.
Exploitation Context
CVE-2026-7635 is currently not listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's ease of exploitation and the widespread use of WordPress. The vulnerability was published on May 13, 2026, and it is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation is to immediately upgrade the coreActivity: Activity Logging plugin to version 3.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by filtering or stripping potentially malicious characters from the User-Agent header before it is stored in the database. Web Application Firewalls (WAFs) configured to detect and block unserialization attempts can also provide a layer of protection. Specifically, look for rules that block the inclusion of serialized data in HTTP headers. After upgrading, verify the fix by sending a request with a crafted User-Agent header containing a benign serialized object and confirming that it is not executed.
How to fix
Update to version 3.1, or a newer patched version
Frequently asked questions
What is CVE-2026-7635 — PHP Object Injection in WordPress Activity Logging?
CVE-2026-7635 is a HIGH severity vulnerability in the WordPress Activity Logging plugin allowing attackers to inject PHP code via the User-Agent header, potentially leading to remote code execution. It affects versions 0.0 - 3.0.
Am I affected by CVE-2026-7635 in WordPress Activity Logging?
If you are using the coreActivity: Activity Logging plugin for WordPress in version 0.0 through 3.0, you are potentially affected by this vulnerability. Check your plugin version immediately.
How do I fix CVE-2026-7635 in WordPress Activity Logging?
Upgrade the coreActivity: Activity Logging plugin to version 3.1 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary workarounds like filtering User-Agent headers.
Is CVE-2026-7635 being actively exploited?
While not currently listed on KEV or EPSS, the ease of exploitation suggests a potential for active exploitation. Monitor security advisories and threat intelligence feeds for updates.
Where can I find the official WordPress advisory for CVE-2026-7635?
Refer to the official WordPress security announcements and the coreActivity: Activity Logging plugin's website for the latest information and advisory regarding CVE-2026-7635.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...