- wordpress
- php
- deserialization
- cve-2026-54806
- rce
news
WP Activity Log PHP Object Injection to RCE (CVE-2026-54806)
Unauthenticated User-Agent POI stored in audit log; WP_HTML_Token gadget deserializes on admin dashboard view — blind RCE, CVSS 9.8.
Summary
CVE-2026-54806 is a critical unauthenticated PHP Object Injection in WP Activity Log (wp-security-audit-log) ≤ 5.6.3.1 (fixed 5.6.4; CVSS 9.8). Attackers inject serialized objects via the User-Agent header on requests that generate audit events (e.g. failed login). Payloads persist in the database and deserialize when an administrator loads the dashboard — blind RCE (no output to attacker). joshuavanderpoll/CVE-2026-54806 chains a WP_HTML_Token gadget.
Key Findings
| Finding | Detail |
|---|---|
| CVE | CVE-2026-54806 |
| Weakness | CWE-502 — deserialization of attacker-controlled audit log fields |
| Injection vector | User-Agent on unauthenticated logged events |
| Trigger | Admin visits WP Activity Log UI (deserialization on read) |
| Gadget chain | WP_HTML_Token (WP 6.4.0–6.4.1; public properties survive sanitize_text_field + 255-char column) |
| PoC features | --check, --command, --shell, --write-file; Docker lab with admin-bot |
Attack Chain
Attacker: failed login + malicious User-Agent (serialized object)
↓
Plugin stores object in audit DB column
↓
Admin opens dashboard / log view
↓
Unsafe deserialization → RCE as web user (blind)
Impact
Full WordPress compromise when an administrator session triggers deserialization — typical path is waiting for organic admin traffic or social engineering. Comparable to other blind POI chains in audit/logging plugins.
Mitigation
- Upgrade WP Activity Log to 5.6.4+ immediately.
- Block suspicious User-Agent patterns at WAF; monitor for serialized PHP object signatures in headers.
- Assume breach if plugin ≤ 5.6.3.1 was internet-exposed: rotate salts, review admins, hunt web shells.
Related Signals
- CVE-2026-48908 — Joomla SP Page Builder
- CVE-2026-49772 — Events Calendar SQLi
- CVE-2026-2002 — Forminator XSS