CVE-2026-2471
PHP Object Injection in WP Mail Logging Plugin via Email Log Deserialization
Publication date: 2026-02-28
Last updated on: 2026-02-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_mail_logging | 1.15.0 |
| wordfence | wp_mail_logging | to 1.15.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Mail Logging plugin for WordPress up to version 1.15.0 is vulnerable to PHP Object Injection due to unsafe deserialization of untrusted input from the email log message field.
This happens because the BaseModel class constructor calls a function that unserializes data from the database without validating it, allowing attackers to submit a double-serialized payload through public forms that send email.
When an administrator views the logged email containing the malicious payload, it gets deserialized into a PHP object, potentially enabling harmful actions.
However, this vulnerability only has an impact if another plugin or theme installed on the site contains a gadget chain (POP chain) that can be exploited after deserialization.
How can this vulnerability impact me? :
If exploited, and if a suitable POP chain is present via another plugin or theme, an attacker could perform dangerous actions such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the affected WordPress site.
The attack requires submitting a crafted payload through public-facing email forms and relies on an administrator viewing the malicious email log entry.
Without a POP chain in other installed components, the vulnerability does not lead to direct impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves PHP Object Injection via deserialization of untrusted input in the WP Mail Logging plugin versions up to 1.15.0. Detection involves identifying if your WordPress site is running a vulnerable version of the WP Mail Logging plugin and monitoring for suspicious serialized payloads submitted through public-facing email forms.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered when email log messages containing double-serialized payloads are logged and viewed, you can detect attempts by inspecting the email log entries for suspicious serialized data patterns.'}, {'type': 'list_item', 'content': 'Check the installed version of the WP Mail Logging plugin to confirm if it is version 1.15.0 or earlier.'}, {'type': 'list_item', 'content': "Search the email logs database table (usually named with the prefix 'wpml_mails') for entries containing serialized PHP objects or double-serialized strings."}, {'type': 'list_item', 'content': "Use SQL queries to find suspicious serialized data patterns in the 'message' column of the email logs, for example:"}, {'type': 'paragraph', 'content': "SELECT * FROM wp_wpml_mails WHERE message LIKE '%O:%' OR message LIKE '%s:%';"}, {'type': 'paragraph', 'content': 'Monitor web server logs or application logs for unusual POST requests to public-facing forms that send emails (e.g., Contact Form 7) containing suspicious serialized payloads.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but the above SQL query and version checks are practical starting points.'}] [3, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the WP Mail Logging plugin to version 1.16.0 or later, where the vulnerability has been fixed by restricting unserialization to disallow PHP object instantiation.'}, {'type': 'paragraph', 'content': "If immediate update is not possible, consider disabling or restricting access to the WP Mail Logging plugin's email log viewing functionality to trusted administrators only, to prevent deserialization of malicious payloads."}, {'type': 'paragraph', 'content': 'Additionally, monitor and sanitize inputs from public-facing email forms to prevent submission of double-serialized or malicious payloads.'}, {'type': 'paragraph', 'content': 'Review installed plugins and themes for the presence of POP chains that could be exploited in conjunction with this vulnerability, and update or remove them as necessary.'}] [1]