External risk intelligence

PHP Object Injection in WP Activity Log

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-54806

An unauthenticated PHP Object Injection vulnerability exists in the WP Activity Log plugin, potentially allowing attackers to compromise affected websites by injecting and executing arbitrary PHP objects. This could lead to unauthorized control, data manipulation, or service disruption.

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which is typically deployed as part of an internet-facing web application. Since web applications are frequently exposed to the public internet to provide functionality to users, this plugin's attack surface is commonly reachable from the internet.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a widely used WordPress plugin, allowing unauthenticated attackers to inject malicious code through improperly handled PHP objects. This could potentially lead to a complete compromise of affected websites.

  • Code injection vulnerability in a WordPress plugin.
  • Could allow unauthorized control of websites.
  • Confirm plugin relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit a PHP Object Injection flaw in the WP Activity Log plugin. This vulnerability allows an attacker to send specially crafted data to the plugin, which can then lead to the injection and execution of arbitrary PHP objects. The successful exploitation of this vulnerability could result in a complete compromise of the affected WordPress site.

  • No authentication is required to access.
  • Specially crafted data triggers injection.
  • Leads to full site compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious code into the system by exploiting how the WP Activity Log plugin handles serialized PHP data. When supported by the advisory, this could lead to the execution of arbitrary code, manipulation of data, or disruption of services.

  • Affects plugin data and system integrity.
  • Achieved via unauthenticated PHP object injection.
  • Could lead to code execution and service disruption.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the WP Activity Log plugin likely requires action from application owners, infrastructure teams, and potentially network/security teams. The first practical step is to identify all instances of the affected plugin, confirm their exposure and business criticality, and then assign ownership for remediation planning based on the identified risk.

  • Application owners should own the issue.
  • Verify plugin reachability and business criticality.
  • Plan remediation based on risk and impact.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-54806 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This PHP Object Injection vulnerability allows unauthenticated attackers to execute code remotely, potentially leading to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the WP Activity Log plugin?

WP Activity Log is a tool used by WordPress administrators to monitor and track user activity and site changes. It functions as an audit log, recording events like post edits, login attempts, and configuration adjustments to help maintain site security and compliance. It is widely installed on WordPress websites to provide visibility into backend operations.

What does PHP Object Injection mean for CVE-2026-54806?

This vulnerability, classified as CWE-502, occurs when an application improperly processes untrusted, serialized data. Because the plugin handles this data unsafely, an attacker can inject malicious PHP objects into the system. This weakness can allow an attacker to manipulate application behavior, potentially leading to unauthorized code execution or complete control over the affected WordPress site.

How is this vulnerability triggered?

An attacker triggers this flaw by sending specially crafted, malicious data to the affected plugin. Because the plugin fails to properly validate this input, the system attempts to process it as a legitimate object. Note that this attack does not require any prior authentication; valid user credentials or administrative access are not necessary to initiate the exploit.

Why should I care about this vulnerability?

Halo Surface Signal indicates that because this plugin is part of a web application, it is typically accessible from the public internet. This connectivity provides a direct path for remote attackers to interact with the vulnerable component. If your WordPress site is internet-facing, the plugin's attack surface is likely reachable by unauthorized parties, increasing the potential risk to your site's integrity.

What steps should I take if I use this plugin?

Begin by auditing your environment to locate all installations of the WP Activity Log plugin and confirming which versions are currently active. Once identified, evaluate the business criticality of those specific sites to prioritize your response. Assign clear ownership to the relevant teams to manage remediation and ensure that all affected instances are brought up to a secure state.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished