CVE-2026-7635 - Vulnerability Analysis

Overview

coreActivity: Activity Logging for WordPress plugin <= 3.0 contains a PHP Object Injection caused by improper validation of User-Agent HTTP header serialization, letting unauthenticated attackers cause persistent denial of service by triggering fatal errors when admins view logs.

Severity & Score

Impact

Unauthenticated attackers can cause persistent denial of service, blocking administrator access to the Logs page.

Mitigation

Update to the latest version beyond 3.0 where this issue is fixed.

References

• https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/core/log/Device.php#L35
• https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/vendor/dev4press/library/dev4press/wordpress/admin/Table.php#L290
• https://plugins.trac.wordpress.org/browser/coreactivity/trunk/vendor/dev4press/library/dev4press/core/plugins/DBLite.php#L268
• https://plugins.trac.wordpress.org/browser/coreactivity/trunk/vendor/dev4press/library/dev4press/wordpress/admin/Table.php#L290
• https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/core/table/Logs.php#L161
• https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/vendor/dev4press/library/dev4press/core/plugins/DBLite.php#L268
• https://plugins.trac.wordpress.org/browser/coreactivity/trunk/core/log/Core.php#L252
• https://plugins.trac.wordpress.org/browser/coreactivity/trunk/core/log/Device.php#L35
• https://plugins.trac.wordpress.org/browser/coreactivity/trunk/core/table/Logs.php#L161
• https://www.wordfence.com/threat-intel/vulnerabilities/id/59f30135-6dd9-4367-90a9-a10ad491357d?source=cve
• https://github.com/dev4press/coreactivity/pull/3/changes/1f09331d66de7cf4bba9b6e396b0d4e7597fcde2
• https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/core/log/Core.php#L252

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner