How is CVE-2026-39478 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote host. Authentication (required): A low-privilege WordPress account at contributor level or above is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker can trigger the vulnerability directly without requiring any action from another user or an administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-39478?

Reads arbitrary site data including stored user credentials, session tokens, and private post content. Writes or modifies persisted database rows and WordPress configuration, enabling content defacement or privilege escalation. Executes arbitrary PHP code on the server if a suitable POP chain exists in the installed codebase, leading to full host compromise. Crashes or destabilizes the WordPress application, causing service disruption for site visitors and administrators.

Back to search

HIGHCVE-2026-39478Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39478: WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.23.87 - PHP Object Injection vulnerability

Q: What is CVE-2026-39478?

PHP Object Injection in the Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions up to and including 4.23.87) allows a network-accessible attacker with a contributor-level account to trigger unsafe deserialization of PHP objects. The vulnerability is reachable over the network and requires only a low-privilege WordPress account, with no victim interaction needed. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected site. No fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-39478 patched?

Because no upstream fix version exists yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed plugin version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch lands.

Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection in the Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions up to and including 4.23.87) allows a network-accessible attacker with a contributor-level account to trigger unsafe deserialization of PHP objects. The vulnerability is reachable over the network and requires only a low-privilege WordPress account, with no victim interaction needed. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected site. No fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-39478 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image carrying the Anti-Malware Security and Brute-Force Firewall plugin at or below version 4.23.87 surfaces as affected in the pipeline scan results.

Available

Triage

Triage is available with CVSS v3.1 scoring of 8.8 (HIGH), automatically weighted against each customer environment's compliance policy to determine urgency tier. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership and escalation rules.

Available

Patch

Because no upstream fix version exists yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed plugin version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote host.
AuthenticationRequired
A low-privilege WordPress account at contributor level or above is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker can trigger the vulnerability directly without requiring any action from another user or an administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads arbitrary site data including stored user credentials, session tokens, and private post content.
Writes or modifies persisted database rows and WordPress configuration, enabling content defacement or privilege escalation.
Executes arbitrary PHP code on the server if a suitable POP chain exists in the installed codebase, leading to full host compromise.
Crashes or destabilizes the WordPress application, causing service disruption for site visitors and administrators.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-39478 is flagged as an unpatched HIGH-severity vulnerability with a CVSS score of 8.8, and no upstream fix version exists at this time. HarborGuard re-evaluates the advisory on every feed ingest cycle so that the moment Eli Scheetz publishes a patched release, a rebuilt image at that fix version becomes available automatically. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls to consider include network-policy isolation to restrict inbound access to WordPress contributor endpoints, egress filtering to limit outbound connections from the container, and disabling or removing the plugin from images where its functionality is not strictly required. These mitigations are not substitutes for the upstream patch but reduce the exposed attack surface while the fix is pending.

See how HarborGuard automates this

Affected packages

Eli Scheetz / Anti-Malware Security and Brute-Force Firewall
≤ 4.23.87

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified