coreActivity WordPress Plugin PHP Object Injection Vulnerability in Activity Logging Component

A PHP Object Injection vulnerability has been identified in the coreActivity: Activity Logging for WordPress plugin, affecting all versions through 3.0. The issue arises because the plugin does not properly validate or remove PHP serialization syntax from the User-Agent HTTP header before logging it. This unvalidated data is stored in the logmeta table and later retrieved without verification, allowing unauthenticated attackers to inject malicious PHP serialized payloads. When an administrator accesses the Logs page, these payloads are deserialized and passed to the DeviceDetector library, causing a Fatal TypeError that disrupts access to the Logs page.

Impact

Exploitation of this vulnerability leads to a persistent Denial of Service condition, where administrators are blocked from accessing the Logs page.

Reproduction

The vulnerability can be reproduced by sending a crafted PHP serialized payload in the User-Agent header during a logged event, such as a failed login attempt. Once the payload is injected, an administrator can be blocked from accessing the Logs page due to the induced Fatal TypeError.

Remediation

Users are advised to update the coreActivity: Activity Logging for WordPress plugin to version 3.1 or later.