Anti-Malware Security and Brute-Force Firewall < 4.23.88 – Contributor+ PHP Object Injection | CVE 2026-39478 | Plugin Vulnerabilities

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input, allowing authenticated attackers with Contributor-level access and above to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Fixed in 4.23.88

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c708698f-a38a-4213-a022-817b380e64df

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

42a8d9d8-e0a5-47f3-8d42-736d6ef7d094

Timeline

Publicly Published

2026-04-20 (about 2 months ago)

Added

2026-05-04 (about 1 month ago)

Last Updated

2026-05-04 (about 1 month ago)

Other

Published

Title

Published

2024-11-15

Title

My Geo Posts Free <= 1.2 - Unauthenticated PHP Object Injection

Published

2026-01-13

Title

Vivagh <= 2.4 - Authenticated (Subscriber+) PHP Object Injection

Published

2025-06-04

Title

PressGrid - Frontend Publish Reaction & Multimedia Theme <= 1.3.1 - Unauthenticated PHP Object Injection

Published

2013-09-11

Title

WordPress 3.6 - PHP Object Injection

Published

2026-06-04

Title

WP Travel Engine – Tour Booking Plugin – Tour Operator Software < 6.8.0 - Unauthenticated PHP Object Injection