CVE-2026-54806 is a critical Unauthenticated PHP Object Injection vulnerability in the WP Activity Log plugin versions <= 5.6.3.1. The vulnerability has a CVSS score of 9.8 and is considered critical. The CVE record was published on 2026-06-17T13:20:51.727Z and has not been modified since then. This vulnerability allows attackers to inject malicious PHP objects, potentially leading to code execution, data [truncated]
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the WP Activity Log plugin for WordPress, affecting versions up to and including 5.6.3. The vulnerability stems from improper neutralization of input during web page generation, allowing an attacker with low privileges to inject malicious scripts that execute in a victim's browser. The CVSS 3.1 score of 6.5 (Medium) reflects network attack vec [truncated]