WP Activity Log < 5.6.4 – Unauthenticated PHP Object Injection | CVE 2026-54806 | Plugin Vulnerabilities

Description

The plugin does not validate or sanitise some input before deserialising it, which could allow unauthenticated users to inject a PHP Object. No known POP chain is present in the vulnerable software, however one present in another plugin or theme installed on the same site could allow attackers to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

wp-security-audit-log

Fixed in 5.6.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cb7f78b8-670f-4a23-9498-6fa570833642

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

3b7e9c37-2e85-43b2-902b-bcf89a662c68

Timeline

Publicly Published

2026-06-16 (about 12 days ago)

Added

2026-06-23 (about 5 days ago)

Last Updated

2026-06-23 (about 5 days ago)

Other

Published

Title

Published

2024-02-09

Title

Brooklyn <= 4.9.7.6 - PHP Object Injection

Published

2024-01-31

Title

ERE Recently Viewed < 2.0 - Unauthenticated PHP Object Injection

Published

2025-02-14

Title

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider < 3.95.0 - Authenticated (Editor+) PHP Object Injection

Published

2025-05-20

Title

Glossary by WPPedia <= 1.3.0 - Authenticated (Administrator+) PHP Object Injection

Published

2024-01-16

Title

Asgaros Forum < 2.8.0 - Unauthenticated PHP Object Injection in prepare_unread_status