📄 Description (English)
The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This makes it possible for unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header during any logged event (such as a failed login attempt), which, when an administrator views the Logs page, is deserialized and passed to `DeviceDetector::setUserAgent()`, triggering a Fatal TypeError that creates a persistent Denial of Service condition blocking administrator access to the Logs page entirely.
🤖 AI Executive Summary
CVE-2026-7635 is a critical PHP Object Injection vulnerability in the coreActivity WordPress plugin affecting all versions up to 3.0. Unauthenticated attackers can inject malicious serialized PHP payloads via the User-Agent header during login attempts, causing a persistent Denial of Service that blocks administrator access to the Logs page. This vulnerability poses significant risk to WordPress installations across Saudi Arabia, particularly those managing critical business operations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 20, 2026 05:21
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using WordPress with the coreActivity plugin, particularly: (1) Government agencies and ministries managing citizen-facing portals and administrative systems; (2) Banking and financial institutions using WordPress for customer-facing services and internal portals; (3) Healthcare providers using WordPress for patient information systems and appointment management; (4) E-commerce platforms and retail businesses relying on WordPress; (5) Telecommunications companies using WordPress for customer service portals. The persistent DoS condition could disrupt critical administrative functions and prevent security incident investigation through log review.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
E-commerce and Retail
Telecommunications
Education
Energy and Utilities
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable the coreActivity plugin immediately via WordPress admin panel or file system
2. If plugin cannot be disabled, restrict access to wp-admin using .htaccess or WAF rules to prevent administrator lockout
3. Clear all malicious entries from wp_postmeta and wp_usermeta tables containing serialized payloads
DETECTION & INVESTIGATION:
4. Search WordPress logs and web server access logs for suspicious User-Agent headers containing PHP serialization syntax (patterns like 'O:' or 'a:' followed by numbers)
5. Query database: SELECT * FROM wp_postmeta WHERE meta_value LIKE 'O:%' OR meta_value LIKE 'a:%'
6. Review failed login attempts in logs for correlation with injection attempts
COMPENSATING CONTROLS:
7. Implement WAF rules to block User-Agent headers containing PHP serialization patterns
8. Deploy ModSecurity rule: SecRule REQUEST_HEADERS:User-Agent "@rx (?:O|a|s|i|d|b|C):\d+:" "id:1000,phase:2,deny,status:403"
9. Implement input validation at web server level to sanitize User-Agent headers
10. Enable WordPress security plugins (Wordfence, Sucuri) with malware scanning
LONG-TERM:
11. Monitor for plugin updates or switch to alternative activity logging solutions
12. Implement principle of least privilege for admin access
13. Deploy Web Application Firewall (WAF) with PHP object injection detection
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بتعطيل مكون coreActivity فوراً عبر لوحة تحكم WordPress أو نظام الملفات
2. إذا لم يكن من الممكن تعطيل المكون، قيد الوصول إلى wp-admin باستخدام .htaccess أو قواعد WAF لمنع قفل المسؤول
3. امسح جميع الإدخالات الضارة من جداول wp_postmeta و wp_usermeta التي تحتوي على حمولات مسلسلة
الكشف والتحقيق:
4. ابحث في سجلات WordPress وسجلات خادم الويب عن رؤوس User-Agent المريبة التي تحتوي على بناء جملة تسلسل PHP
5. استعلم قاعدة البيانات: SELECT * FROM wp_postmeta WHERE meta_value LIKE 'O:%' OR meta_value LIKE 'a:%'
6. راجع محاولات تسجيل الدخول الفاشلة في السجلات للارتباط مع محاولات الحقن
الضوابط التعويضية:
7. تطبيق قواعد WAF لحجب رؤوس User-Agent التي تحتوي على أنماط تسلسل PHP
8. نشر قاعدة ModSecurity: SecRule REQUEST_HEADERS:User-Agent "@rx (?:O|a|s|i|d|b|C):\d+:" "id:1000,phase:2,deny,status:403"
9. تطبيق التحقق من الإدخال على مستوى خادم الويب لتنظيف رؤوس User-Agent
10. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع فحص البرامج الضارة
المدى الطويل:
11. مراقبة تحديثات المكون أو التبديل إلى حلول تسجيل النشاط البديلة
12. تطبيق مبدأ أقل امتياز للوصول الإداري
13. نشر جدار حماية تطبيقات الويب (WAF) مع كشف حقن كائنات PHP
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.8.1.1 - User Access Management
A.12.2.1 - Change Management
A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
ID.RA-1 - Asset Management and Inventory
PR.DS-1 - Data Security and Protection
DE.CM-1 - Detection and Analysis
RS.RP-1 - Response Planning
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.2.1 - Change management procedures
A.5.1.1 - Information security policies
🟣 PCI DSS v4.0.1
6.2 - Ensure all system components are protected from known vulnerabilities
6.5.1 - Injection flaws prevention
11.2 - Vulnerability scanning and assessment
🔗 References & Sources 12
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/dev4press/coreactivity/pull/3/changes/1f09331d66de7cf4bba9b6e396b0d4...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/core/log/Core.php#L252
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/core/log/Device.php#L35
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/core/table/Logs.php#L161
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/vendor/dev4press/libra...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/tags/3.0/vendor/dev4press/libra...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/trunk/core/log/Core.php#L252
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/trunk/core/log/Device.php#L35
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/trunk/core/table/Logs.php#L161
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/trunk/vendor/dev4press/library/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/coreactivity/trunk/vendor/dev4press/library/...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/59f30135-6dd9-4367-90a9-a10ad...
security@wordfence.com