CVE-2025-0767
📋 TL;DR
CVE-2025-0767 is a PHP object injection vulnerability in WP Activity Log plugin that allows remote code execution. Attackers can exploit unvalidated user input passed to unserialize() to execute arbitrary code on the server. All WordPress sites using WP Activity Log 5.3.2 or earlier are affected.
💻 Affected Systems
- WP Activity Log (WordPress plugin)
📦 What is this software?
Wp Activity Log by Melapress
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, malware deployment, website defacement, and lateral movement to other systems.
Likely Case
Remote code execution allowing attackers to create backdoors, steal sensitive data, and maintain persistent access to the compromised WordPress site.
If Mitigated
Attack blocked at WAF level or plugin disabled, preventing exploitation but potentially losing audit logging functionality.
🎯 Exploit Status
Exploitation is straightforward due to direct unserialize() call with user input. Public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.3 or later
Vendor Advisory: https://co.wordpress.org/plugins/wp-security-audit-log/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Activity Log and click 'Update Now'. 4. Verify version is 5.3.3 or higher.
🔧 Temporary Workarounds
Disable WP Activity Log plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-security-audit-log
WAF rule to block exploitation attempts
allAdd WAF rule to block requests containing PHP object injection payloads
ModSecurity rule: SecRule ARGS "@rx (O:\d+:\"[^"]+\":\d+:\{[^}]+\})" "id:1001,phase:2,deny,status:403,msg:'PHP Object Injection Attempt'"
Cloudflare WAF: Create rule to block requests with PHP serialized objects in parameters
🧯 If You Can't Patch
- Disable WP Activity Log plugin immediately
- Implement strict WAF rules to block PHP serialized object patterns in HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: wp plugin get wp-security-audit-log --field=versionCheck Version:
wp plugin get wp-security-audit-log --field=versionVerify Fix Applied:
Verify plugin version is 5.3.3 or higher: wp plugin get wp-security-audit-log --field=version📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or plugin endpoints
- PHP errors containing 'unserialize' in error logs
- Unexpected process execution from web server user
Network Indicators:
- HTTP requests containing serialized PHP objects in parameters
- POST requests to /wp-admin/admin-ajax.php with unusual payloads
SIEM Query:
source="web_logs" AND (uri="*admin-ajax.php*" OR uri="*wp-content/plugins/wp-security-audit-log*") AND (request_body="*O:\d+:\"[^"]+\":\d+:\{[^}]+\}*" OR request_body="*unserialize*")