[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmZ0BMswzsx_fjLOyJW9TjNOIxMQLb0bKplg0R0dFGbU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7635","coreactivity-activity-logging-for-wordpress-unauthenticated-php-object-injection-via-useragent-log-meta-field","coreActivity: Activity Logging for WordPress \u003C= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field","The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This makes it possible for unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header during any logged event (such as a failed login attempt), which, when an administrator views the Logs page, is deserialized and passed to `DeviceDetector::setUserAgent()`, triggering a Fatal TypeError that creates a persistent Denial of Service condition blocking administrator access to the Logs page entirely.","coreactivity",null,"\u003C=3.0","3.1","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-05-12 00:00:00","2026-05-13 04:26:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F59f30135-6dd9-4367-90a9-a10ad491357d?source=api-prod",1,[22,23,24,25,26,27,28,29],"changelog.md","composer.json","composer.lock","core\u002Fadmin\u002FPlugin.php","core\u002Fadmin\u002FSettings.php","core\u002Fbasic\u002FAdminBar.php","core\u002Fbasic\u002FInformation.php","core\u002Flog\u002FCore.php","researched",false,3,"# Research Plan: CVE-2026-7635 PHP Object Injection in coreActivity\n\n## 1. Vulnerability Summary\nThe **coreActivity: Activity Logging for WordPress** plugin (\u003C= 3.0) is vulnerable to **unauthenticated PHP Object Injection**. The plugin captures the `User-Agent` HTTP header during logged events (e.g., failed logins, 404s, or general activity) and stores it in the `logmeta` database table without sanitizing PHP serialization syntax (e.g., `O:8:\"...\"`).\n\nWhen an administrator views the **Logs** page, the plugin retrieves these values and calls `maybe_unserialize()` on every `meta_value`. Because the input was not sanitized during storage, an attacker can provide a serialized object string that is then instantiated. The resulting object is passed to `DeviceDetector::setUserAgent()`, which expects a string, causing a **Fatal TypeError** in PHP 8.x. This results in a persistent Denial of Service (DoS) for the Logs page.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any page that triggers a logged event. The most reliable unauthenticated target is `wp-login.php` (triggering a login failure event).\n*   **Vulnerable Parameter:** `User-Agent` HTTP Request Header.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** \n    *   The plugin must be active.\n    *   Event logging must be enabled (typically default for login failures).\n    *   The site must be running on PHP 8.x (to trigger the `TypeError` DoS).\n\n## 3. Code Flow\n1.  **Ingestion:** A request is made to the WordPress site.\n2.  **Capture:** In `Dev4Press\\Plugin\\CoreActivity\\Log\\Core::__construct()`, the plugin populates `cached_data['ua']` via `$this->get_user_agent()` (which reads `$_SERVER['HTTP_USER_AGENT']`).\n3.  **Logging Trigger:** An event (like a failed login) calls `Dev4Press\\Plugin\\CoreActivity\\Log\\Core::log()`.\n4.  **Processing:** `log()` calls `prepare_meta()` and `prepare_device($meta)`. The unsanitized User-Agent string is added to the `$meta` array.\n5.  **Storage:** `Dev4Press\\Plugin\\CoreActivity\\Basic\\DB::i()->log_event($data, $meta)` is called. The `meta_value` (the malicious string) is written directly to the `logmeta` table.\n6.  **Retrieval (Admin Side):** An administrator navigates to `wp-admin\u002Fadmin.php?page=coreactivity-logs`.\n7.  **Deserialization:** The display logic calls a retrieval function (likely `query_metas()`) which executes `maybe_unserialize()` on the stored `meta_value`.\n8.  **Sink:** The resulting object (e.g., a `stdClass` object) is passed to `DeviceDetector::setUserAgent()`.\n9.  **Fatal Error:** PHP throws a `TypeError` because the method signature for `setUserAgent` requires a `string`, but an `object` was provided.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a nonce** for the injection phase. \n*   The injection occurs via the `User-Agent` header during standard WordPress actions (like login) which are hooked by the plugin.\n*   The plugin's logging mechanism runs automatically on hooks like `wp_login_failed`.\n*   The DoS\u002FExecution trigger occurs when the Admin visits the Logs page, which is a standard GET request to a known slug.\n\n## 5. Exploitation Strategy\nThe goal is to inject a PHP object that triggers a `TypeError` when the administrator attempts to view the logs.\n\n### Injection Phase\n1.  Target the login endpoint to ensure an event is logged.\n2.  **HTTP Request:**\n    ```http\n    POST \u002Fwp-login.php HTTP\u002F1.1\n    Host: victim.com\n    Content-Type: application\u002Fx-www-form-urlencoded\n    User-Agent: O:8:\"stdClass\":0:{}\n\n    log=admin&pwd=wrongpassword&wp-submit=Log+In\n    ```\n    *Note: `O:8:\"stdClass\":0:{}` is a simple serialized `stdClass` object.*\n\n### Trigger Phase\n1.  Log in as a WordPress Administrator.\n2.  Navigate to the coreActivity Logs page.\n3.  **HTTP Request:**\n    ```http\n    GET \u002Fwp-admin\u002Fadmin.php?page=coreactivity-logs HTTP\u002F1.1\n    Host: victim.com\n    Cookie: [Admin Cookies]\n    ```\n\n## 6. Test Data Setup\n1.  Install and activate **coreActivity: Activity Logging for WordPress** version 3.0.\n2.  Ensure PHP 8.0+ is used in the test environment.\n3.  Confirm logging is active (check the dashboard at `\u002Fwp-admin\u002Fadmin.php?page=coreactivity-dashboard`).\n\n## 7. Expected Results\n1.  The `log_event` call will successfully write `O:8:\"stdClass\":0:{}` to the database meta table.\n2.  Upon accessing the Logs page, the server will return a **500 Internal Server Error** or a white screen.\n3.  The PHP error log will contain:\n    `Fatal error: Uncaught TypeError: DeviceDetector\\DeviceDetector::setUserAgent(): Argument #1 ($userAgent) must be of type string, stdClass given...`\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the injected value is in the database.\n    ```bash\n    wp db query \"SELECT meta_value FROM wp_coreactivity_logmeta WHERE meta_value LIKE 'O:8:%';\"\n    ```\n2.  **Log Verification:** Check the WordPress error log for the specific `TypeError` involving `DeviceDetector`.\n\n## 9. Alternative Approaches\n### Remote Code Execution (RCE)\nIf the environment contains a usable POP chain (gadget), the vulnerability can be escalated from DoS to RCE.\n1.  Analyze `composer.lock` for included libraries.\n2.  `erusev\u002Fparsedown` and `matomo\u002Fdevice-detector` are present. \n3.  Search for gadgets in `dev4press\u002Flibrary` (the plugin's custom shared library), specifically looking for `__destruct`, `__wakeup`, or `__toString` methods in the `Dev4Press\\v55` namespace.\n4.  If a gadget is found, replace `O:8:\"stdClass\":0:{}` with the crafted gadget chain payload.","The coreActivity: Activity Logging for WordPress plugin (\u003C= 3.0) is vulnerable to unauthenticated PHP Object Injection via the User-Agent HTTP header. The plugin stores the raw User-Agent string in the logmeta table and later retrieves it using maybe_unserialize() without validation, allowing attackers to inject crafted PHP objects that can lead to a Denial of Service (DoS) or potential Remote Code Execution (RCE).","\u002F\u002F core\u002Flog\u002FCore.php\nprivate function __construct() {\n    $this->cached_data = array(\n        'ip'          => IP::visitor( coreactivity_settings()->get( 'ip_visitor_forwarded' ) ),\n        'remote_addr' => IP::visitor( false ),\n        'server_ip'   => isset( $_SERVER['SERVER_ADDR'] ) ? IP::server() : '',\n        'ua'          => $this->get_user_agent(), \u002F\u002F Captures unsanitized User-Agent\n        'referer'     => $this->get_referer(),\n        \u002F\u002F ...\n    );\n}\n\n---\n\n\u002F\u002F core\u002Flog\u002FCore.php\npublic function log( int $event_id, array $data = array(), array $meta = array() ) : int {\n    \u002F\u002F ...\n    $data = $this->prepare_data( $event_id, $data );\n    $meta = $this->prepare_meta( $meta ); \u002F\u002F Injects 'ua' into $meta\n\n    \u002F\u002F ...\n    $meta = $this->prepare_device( $meta );\n\n    \u002F\u002F ...\n    $id = DB::i()->log_event( $data, $meta ); \u002F\u002F Stores unsanitized User-Agent in DB\n    \u002F\u002F ...\n}","--- a\u002Fcore\u002Flog\u002FCore.php\n+++ b\u002Fcore\u002Flog\u002FCore.php\n@@ -50,7 +50,7 @@\n \t\t\t'ip'          => IP::visitor( coreactivity_settings()->get( 'ip_visitor_forwarded' ) ),\n \t\t\t'remote_addr' => IP::visitor( false ),\n \t\t\t'server_ip'   => isset( $_SERVER['SERVER_ADDR'] ) ? IP::server() : '',\n-\t\t\t'ua'          => $this->get_user_agent(),\n+\t\t\t'ua'          => sanitize_text_field($this->get_user_agent()),\n \t\t\t'referer'     => $this->get_referer(),\n \t\t\t'method'      => $this->get_request_method(),\n \t\t\t'protocol'    => wp_get_server_protocol(),\n--- a\u002Fcore\u002Fbasic\u002FDB.php\n+++ b\u002Fcore\u002Fbasic\u002FDB.php\n@@ -150,5 +150,5 @@\n \tpublic function query_metas($log_id) {\n-\t\t\u002F\u002F ...\n-\t\t$meta_value = maybe_unserialize($result->meta_value);\n+\t\t\u002F\u002F Use a safer retrieval method that avoids automatic deserialization of user-provided strings\n+\t\t$meta_value = $result->meta_value;\n \t\t\u002F\u002F ...\n \t}","The exploit is achieved by performing any action that triggers a logged event while supplying a malicious User-Agent string. \n\n1. An unauthenticated attacker sends a request to an endpoint that triggers logging, such as a POST request to `wp-login.php` with incorrect credentials.\n2. The request includes a crafted PHP serialized object (e.g., `O:8:\"stdClass\":0:{}`) within the `User-Agent` HTTP header.\n3. The plugin captures this header and stores it directly in the `logmeta` database table as a `meta_value` associated with the log entry.\n4. When a WordPress administrator navigates to the plugin's Logs page (`\u002Fwp-admin\u002Fadmin.php?page=coreactivity-logs`), the plugin retrieves the stored meta values.\n5. The plugin calls `maybe_unserialize()` on the retrieved data. Because the data is now a valid serialized object string, PHP instantiates the object.\n6. On PHP 8.x, if the resulting object is passed to library functions expecting a string (like `DeviceDetector::setUserAgent`), it triggers a `Fatal TypeError`, effectively locking administrators out of the activity log page (Denial of Service).","gemini-3-flash-preview","2026-05-14 18:14:20","2026-05-14 18:15:16",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcoreactivity\u002Ftags\u002F3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcoreactivity.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcoreactivity\u002Ftags\u002F3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcoreactivity.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcoreactivity\u002Ftags"]