CVE-2026-54806: WP Activity Log Auth Bypass Vulnerability

CVE-2026-54806 Overview

CVE-2026-54806 is an unauthenticated PHP Object Injection vulnerability affecting the WP Activity Log plugin for WordPress in versions up to and including 5.6.3.1. The flaw is categorized under [CWE-502: Deserialization of Untrusted Data]. Remote attackers can inject malicious serialized PHP objects through the plugin without requiring authentication. Successful exploitation can lead to remote code execution, data tampering, or complete site compromise depending on available POP (Property-Oriented Programming) gadget chains in the WordPress environment. The vulnerability was published to NVD on 2026-06-17 and assigned a CVSS 3.1 base score of 9.8.

Critical Impact
Unauthenticated attackers can trigger PHP object deserialization on vulnerable WordPress sites, potentially leading to remote code execution and full site takeover.

Affected Products

WP Activity Log plugin for WordPress, versions <= 5.6.3.1
WordPress sites with the wp-security-audit-log plugin installed
Any hosting environment running the affected plugin alongside POP gadget chains in installed themes or plugins

Discovery Timeline

2026-06-17 - CVE-2026-54806 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-54806

Vulnerability Analysis

The vulnerability stems from unsafe deserialization of attacker-controlled input within the WP Activity Log plugin. When PHP processes untrusted serialized data through unserialize(), it instantiates objects and invokes magic methods such as __wakeup(), __destruct(), and __toString(). Attackers can craft serialized payloads that abuse these methods to achieve arbitrary behavior.

The issue is exploitable without authentication, meaning any anonymous remote user can submit malicious data to the vulnerable entry point. The network attack vector combined with low complexity makes the flaw practical to weaponize at scale across WordPress sites running the affected plugin.

Root Cause

The root cause is improper handling of serialized input passed to PHP deserialization routines inside WP Activity Log. The plugin accepts data from an unauthenticated context and passes it to unserialize() without sufficient validation or use of safe alternatives such as JSON. When combined with gadget chains present in WordPress core, themes, or other installed plugins, the deserialization primitive can be escalated to arbitrary file write, SQL execution, or remote code execution.

Attack Vector

An attacker sends a crafted HTTP request containing a serialized PHP object payload to a vulnerable endpoint exposed by the plugin. The plugin deserializes the payload, instantiating attacker-controlled classes and triggering magic methods. By chaining gadgets available in the WordPress runtime, the attacker reaches sinks that execute commands, write files, or modify database records. No user interaction or prior authentication is required. The EPSS score is 0.525% as of 2026-06-18.

No verified public proof-of-concept code is available. See the Patchstack Vulnerability Advisory for additional technical context.

Detection Methods for CVE-2026-54806

Indicators of Compromise

Inbound HTTP POST or GET requests containing serialized PHP payload markers such as O:, a:, or s: followed by length-prefixed strings targeting WP Activity Log endpoints
New or modified PHP files under wp-content/ directories not associated with legitimate updates
Unexpected outbound network connections originating from the php-fpm or web server process
New administrator accounts or modified wp_options rows on sites running WP Activity Log <= 5.6.3.1

Detection Strategies

Inspect web server access logs for requests targeting wp-security-audit-log endpoints with body content containing PHP serialization patterns
Deploy Web Application Firewall (WAF) rules that flag serialized object patterns in request parameters
Compare plugin file hashes against known-good baselines to identify backdoored installations

Monitoring Recommendations

Enable verbose logging on WordPress for authentication events, file changes, and option updates
Forward web server, PHP error, and WordPress audit logs to a centralized SIEM for correlation
Alert on creation of administrator users or changes to siteurl and home options outside change windows

How to Mitigate CVE-2026-54806

Immediate Actions Required

Update the WP Activity Log plugin to a version later than 5.6.3.1 as soon as a patched release is available from the vendor
Audit WordPress administrator accounts and recently modified files on all sites running the affected plugin
Restrict access to WordPress admin and plugin endpoints by source IP where operationally feasible

Patch Information

Review the Patchstack Vulnerability Advisory for the latest patch availability and vendor guidance. Apply the vendor-supplied update to all WordPress installations using WP Activity Log <= 5.6.3.1.

Workarounds

Deactivate and remove the WP Activity Log plugin until a patched version is installed
Deploy WAF signatures that block serialized PHP object patterns in request bodies and query strings targeting the plugin
Apply virtual patching via reverse proxy rules to drop suspicious requests to wp-security-audit-log endpoints

bash

# Example WAF rule to block PHP serialized objects in requests to the plugin
SecRule REQUEST_URI "@contains wp-security-audit-log" \
  "id:1054806,phase:2,deny,status:403,\
   chain,msg:'CVE-2026-54806 PHP Object Injection attempt'"
  SecRule ARGS|REQUEST_BODY "@rx O:[0-9]+:\"[A-Za-z0-9_\\\\]+\":[0-9]+:" \
    "t:none"