OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • wordpress
  • php
  • deserialization
  • cve-2026-54806
  • rce

news

WP Activity Log PHP Object Injection to RCE (CVE-2026-54806)

Unauthenticated User-Agent POI stored in audit log; WP_HTML_Token gadget deserializes on admin dashboard view — blind RCE, CVSS 9.8.

Summary

CVE-2026-54806 is a critical unauthenticated PHP Object Injection in WP Activity Log (wp-security-audit-log) ≤ 5.6.3.1 (fixed 5.6.4; CVSS 9.8). Attackers inject serialized objects via the User-Agent header on requests that generate audit events (e.g. failed login). Payloads persist in the database and deserialize when an administrator loads the dashboard — blind RCE (no output to attacker). joshuavanderpoll/CVE-2026-54806 chains a WP_HTML_Token gadget.

Key Findings

FindingDetail
CVECVE-2026-54806
WeaknessCWE-502 — deserialization of attacker-controlled audit log fields
Injection vectorUser-Agent on unauthenticated logged events
TriggerAdmin visits WP Activity Log UI (deserialization on read)
Gadget chainWP_HTML_Token (WP 6.4.0–6.4.1; public properties survive sanitize_text_field + 255-char column)
PoC features--check, --command, --shell, --write-file; Docker lab with admin-bot

Attack Chain

Attacker: failed login + malicious User-Agent (serialized object)
        ↓
Plugin stores object in audit DB column
        ↓
Admin opens dashboard / log view
        ↓
Unsafe deserialization → RCE as web user (blind)

Impact

Full WordPress compromise when an administrator session triggers deserialization — typical path is waiting for organic admin traffic or social engineering. Comparable to other blind POI chains in audit/logging plugins.

Mitigation

  1. Upgrade WP Activity Log to 5.6.4+ immediately.
  2. Block suspicious User-Agent patterns at WAF; monitor for serialized PHP object signatures in headers.
  3. Assume breach if plugin ≤ 5.6.3.1 was internet-exposed: rotate salts, review admins, hunt web shells.

Related Signals

Sources

→ Source