CVE-2026-7637

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOSTUSERLOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present i...

PT-2026-42100

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST USER LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present...

PT-2026-41865

Name of the Vulnerable Software and Affected Versions Content Element Selector ceselector affected versions not specified Description The extension passes an attacker-controlled cookie directly to the unserialize function without safe processing. A remote, unauthenticated attacker can provide a...

CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

CVE-2026-7635

The CVE-2026-7635 entry concerns the coreActivity: Activity Logging for WordPress plugin for WordPress, affected up to version 3.0. The vulnerability arises from unsanitized PHP serialization in the User-Agent header stored to the logmeta table and later deserialized via maybe_unserialize() durin...

EUVD-2026-29901

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

WordPress plugin coreActivity 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

PT-2026-40565

Name of the Vulnerable Software and Affected Versions coreActivity: Activity Logging for WordPress versions prior to 3.1 Description The plugin is susceptible to PHP Object Injection, a condition where untrusted data is passed to a deserialization function, potentially allowing the execution of...

CVE-2025-69690

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the postrebootcommands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execut...

WordPress User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection vulnerability

Authenticated Subscriber+ PHP Object Injection vulnerability discovered by d.v4ns3c in WordPress Plugin WP User Frontend versions = 4.3.1...

CVE-2026-5127 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuffiles...

CVE-2026-5127 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuffiles...

SUSE CVE-2014-2027

eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code via the 1 addrfields or 2 trans parameter to addressbook/csvimport.php, 3 calfields or 4 trans parameter to calendar/csvimport.php, 5...

WordPress Profile Builder Pro plugin <= 3.14.5 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by 0xbro in WordPress Plugin Profile Builder Pro versions = 3.14.5...

VulnCheck KEV: CVE-2026-3296

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize on stored entry meta...

CVE-2026-7647

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

EUVD-2026-26750

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

CVE-2026-7647 Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

CVE-2026-7647 Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

CVE-2026-7647

Profile Builder Pro for WordPress (versions up to 3.14.5) is vulnerable to PHP Object Injection due to maybe_unserialize() on the attacker-controlled 'args' parameter in wppb_request_users_pins_action_callback(). The AJAX handler is registered for both authenticated and unauthenticated requests (...