CVE-2026-39478

Vulnerability

A PHP Object Injection vulnerability exists in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, versions 4.23.87 and earlier [1]. The issue occurs when user-supplied input is passed to an unserialize() call without proper sanitization, allowing an attacker to inject arbitrary PHP objects [1]. The vulnerable code path is reachable if the attacker can submit crafted data to the relevant parameter, with the plugin being in its default configuration [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted serialized payload to the WordPress site through a parameter processed by the plugin [1]. No special network position is required beyond typical internet access. The attacker does not need any prior authentication or write access to the site. The exploitation step involves crafting a malicious serialized object that, upon deserialization, triggers a Property Oriented Programming (POP) chain [1].

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, or denial of service, depending on the available POP gadgets in the WordPress environment [1]. The attacker can achieve complete compromise of the WordPress site, including data disclosure, modification, and full control over the server's PHP execution [1]. The CVSS 3.1 score of 8.8 (High) reflects the critical impact and low complexity of exploitation [1].

Mitigation

The vendor has released version 4.23.88 which fixes the vulnerability [1]. Users are strongly advised to update immediately to 4.23.88 or later [1]. For users who cannot update, Patchstack offers a mitigation rule that blocks attacks until the update is applied [1]. As of the disclosure date (2026-06-15), the vulnerability is expected to become exploited in mass campaigns [1]. No other workarounds are provided in the available references.