PatchSiren cyber security CVE debrief
CVE-2026-39478 Eli Scheetz CVE debrief
CVE-2026-39478 is a HIGH severity vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, with a CVSS score of 8.8. The vulnerability, which was published on 2026-06-15T21:16:44.220Z and modified on 2026-06-15T21:24:32.790Z, allows for Contributor PHP Object Injection. This vulnerability affects versions of the plugin up to 4.23.87. For more information, refer to [ref-4](https://patchstack.com/database/wordpress/plugin/gotmls/vulnerability/wordpress-anti-malware-security-and-brute-force-firewall-plugin-4-23-87-php-object-injection-vulnerability?_s_id=cve).
- Vendor
- Eli Scheetz
- Product
- Anti-Malware Security and Brute-Force Firewall
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, particularly those with Contributor-level access, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The CVE-2026-39478 vulnerability is a PHP Object Injection issue in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress. It has been classified as HIGH severity with a CVSS score of 8.8. The vulnerability is exploitable by Contributors and can lead to high impact on confidentiality, integrity, and availability.
Defensive priority
HIGH
Recommended defensive actions
- Update the Anti-Malware Security and Brute-Force Firewall plugin to a version that is not vulnerable.
- Refer to [ref-4](https://patchstack.com/database/wordpress/plugin/gotmls/vulnerability/wordpress-anti-malware-security-and-brute-force-firewall-plugin-4-23-87-php-object-injection-vulnerability?_s_id=cve) for mitigation.
Evidence notes
The CVE-2026-39478 vulnerability was identified and reported by Patchstack.
Official resources
-
CVE-2026-39478 CVE record
CVE.org
-
CVE-2026-39478 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39478 was published on 2026-06-15T21:16:44.220Z and modified on 2026-06-15T21:24:32.790Z.