Threat Entry Updated 2026-05-13

CVE-2026-7635 - Coreactivity Plugin

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta table, and subsequently calling `maybe_unserialize()` on every retrieved `meta_value` in `query_metas()` without verifying the data was originally serialized by the application. This makes it possible for unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header during any logged…

PLUGIN Coreactivity

CVE-2026-7635

HIGH CVSS 8.1 2026-05-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-11-13

CVE-2024-0852 - Coreactivity Plugin

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin

PLUGIN Coreactivity

CVE-2024-0852

HIGH CVSS 8.8 2025-05-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-17

CVE-2024-0868 - Coreactivity Plugin

The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value

PLUGIN Coreactivity

CVE-2024-0868

MEDIUM CVSS 5.3 2024-04-17

Risk Score

Open Full Technical Breakdown