How is CVE-2026-54806 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the WordPress installation to trigger deserialization. Authentication (not-required): No account or session credential of any kind is needed; the injection point is reachable by any unauthenticated request. Victim interaction (not-required): No user action, click, or social-engineering step is required; the attacker sends requests directly to the server. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental prerequisites beyond network access to the target.

What is the impact of CVE-2026-54806?

A successful attacker reads any data accessible to the PHP process, including WordPress database credentials, stored user session tokens, and plugin configuration secrets. A successful attacker writes or modifies persisted data, including WordPress database rows, plugin settings, and files writable by the web server process. Depending on which PHP classes (gadget chains) are available in the runtime, a successful attacker executes arbitrary operating system commands on the host. The attacker can crash or hang the PHP worker processes, taking the WordPress site offline for legitimate users.

Back to search

CRITICALCVE-2026-54806Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54806: WordPress WP Activity Log plugin <= 5.6.3.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-54806?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary objects and trigger unintended code paths. This vulnerability affects the WP Activity Log WordPress plugin at version 5.6.3.1 and earlier, and is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the host, up to and including remote code execution depending on available PHP classes. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

Q: Is CVE-2026-54806 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Melapress ships a remediated release. Until then, customers can apply compensating controls through HarborGuard's network policy and workload isolation recommendations described in the recommendation section.

Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary objects and trigger unintended code paths. This vulnerability affects the WP Activity Log WordPress plugin at version 5.6.3.1 and earlier, and is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the host, up to and including remote code execution depending on available PHP classes. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-54806 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and vendor advisories. Coverage extends to custom-built images that bundle the WP Activity Log plugin, not only images pulled directly from public registries.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 (Critical) and surfaces it with that severity weighting across affected environments. Per-environment compliance policy weighting is applied to route the alert to the appropriate team inbox inside each customer organization based on their defined escalation rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Melapress ships a remediated release. Until then, customers can apply compensating controls through HarborGuard's network policy and workload isolation recommendations described in the recommendation section.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the WordPress installation to trigger deserialization.
AuthenticationNot required
No account or session credential of any kind is needed; the injection point is reachable by any unauthenticated request.
Victim interactionNot required
No user action, click, or social-engineering step is required; the attacker sends requests directly to the server.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental prerequisites beyond network access to the target.

Blast Radius

A successful attacker reads any data accessible to the PHP process, including WordPress database credentials, stored user session tokens, and plugin configuration secrets.
A successful attacker writes or modifies persisted data, including WordPress database rows, plugin settings, and files writable by the web server process.
Depending on which PHP classes (gadget chains) are available in the runtime, a successful attacker executes arbitrary operating system commands on the host.
The attacker can crash or hang the PHP worker processes, taking the WordPress site offline for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-54806 at this time, the platform monitors the Patchstack and NVD advisory feeds on every ingest cycle and will trigger a patched-image rebuild automatically the moment Melapress publishes a remediated version of WP Activity Log. In the interim, customers can apply the following compensating controls through HarborGuard's policy engine: (1) network-policy isolation to restrict inbound HTTP traffic to the WordPress installation to known-good IP ranges only, reducing unauthenticated exposure; (2) egress filtering to limit outbound connections from the PHP process, which constrains an attacker's ability to download secondary payloads or establish reverse shells even if deserialization is triggered; (3) runtime process-level restrictions to block execution of unexpected child processes spawned by the web server. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is available upstream.

See how HarborGuard automates this

Affected packages

Melapress / WP Activity Log
≤ 5.6.3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified