CVE-2026-42673: Logtivity Activity Logs Information Disclosure (CVSS 7.5)
Logtivity's Activity Logs plugin leaks sensitive information that should not be transmitted. The vulnerability allows unauthorized users to retrieve embedded sensitive data through the plugin's normal network communication channels. This affects all versions through 3.3.6 and requires patching to prevent data exposure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-201
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42673 is an information disclosure vulnerability (CWE-201) in Logtivity's Activity Logs, User Activity Tracking, and Multisite Activity Log plugins. The flaw stems from improper handling of sensitive data in outbound communications. Rather than filtering or encrypting sensitive values before transmission, the plugin embeds them in sent data where they can be retrieved by network-positioned or authenticated attackers. The vulnerability has a CVSS 3.1 score of 7.5 (HIGH) with a network attack vector, no authentication requirement, and high confidentiality impact.
Business impact
If your organization uses Logtivity for activity logging across WordPress sites, this vulnerability exposes sensitive information that may include user credentials, API keys, personal identifiers, or other protected data stored in activity logs. Exposed credentials could enable lateral movement or account compromise. The lack of authentication requirements amplifies risk—attackers need only network access. For organizations subject to GDPR, HIPAA, or PCI-DSS, unencrypted transmission of sensitive data may trigger breach notification and compliance violations.
Affected systems
The vulnerability affects Logtivity's Activity Logs, User Activity Tracking, and Multisite Activity Log plugins in all versions from the earliest through 3.3.6. Users running any version at or below 3.3.6 are vulnerable and should assume exposure. Organizations should audit their installed Logtivity plugin versions immediately.
Exploitability
The attack is highly exploitable. No user interaction is required, authentication is not required, and the attack surface is the network layer itself—an attacker positioned on the network or with the ability to intercept traffic can passively retrieve sensitive data from the plugin's outbound communications. This makes the vulnerability attractive for both targeted and opportunistic exploitation. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects trivial attack complexity.
Remediation
Update Logtivity plugins to a version newer than 3.3.6 as soon as a patched release is available. Before patching, consider temporarily disabling the Logtivity Activity Logs functionality if feasible. Review audit logs and activity records for indicators of unauthorized access, and reset credentials for any accounts that may have been exposed through the plugin. Verify your patched plugin version against the Logtivity security advisory to confirm the fix is included.
Patch guidance
Check the Logtivity website and WordPress.org plugin repository for version releases newer than 3.3.6. Logtivity should issue a security advisory with a fixed version number; when available, prioritize updating to that version. Apply the patch in a non-production environment first to validate compatibility with your site and other plugins. After patching, confirm in your WordPress dashboard that the plugin version has been updated correctly. If no patch has been released at the time of your update attempt, contact Logtivity support for an estimated fix timeline.
Detection guidance
Monitor network traffic for suspicious requests to Logtivity plugin endpoints; look for unusual data exfiltration patterns or large data transfers to unexpected destinations. Check WordPress plugin integrity by comparing installed plugin files against official Logtivity releases using a file-hash verification tool. Review server logs for failed or successful authentication attempts targeting activity log endpoints. Scan your WordPress environment using security plugins that flag vulnerable plugin versions. Consider enabling detailed activity logging in WordPress to detect attackers querying or exfiltrating log data after compromise.
Why prioritize this
This vulnerability merits immediate prioritization. It requires no authentication, no user interaction, and has high confidentiality impact—a trifecta of exploitability factors. The network-attack vector means any internet-facing WordPress installation running the vulnerable plugin is exposed. For organizations handling regulated data (payments, health records, PII), the exposure carries compliance and legal consequences. Patch as an emergency priority rather than a routine update.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects the combination of network-level attack feasibility (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), no user interaction (UI:N), and high confidentiality impact (C:H). Integrity and availability are not compromised, limiting the scope, but the confidentiality breach alone justifies the HIGH rating. Organizations relying on Logtivity for compliance-sensitive logging should treat this as a critical exposure requiring urgent remediation.
Frequently asked questions
Does this vulnerability require the attacker to have WordPress admin credentials?
No. The CVSS vector shows PR:N (no privilege required). An attacker positioned on the network or able to intercept traffic can passively retrieve sensitive data from the plugin's outbound communications without logging in.
If we disable the Logtivity plugin, are we protected?
Yes, disabling the plugin eliminates the attack surface. However, you will lose activity logging functionality. This is a temporary measure until a patch is released and deployed. Use it only if Logtivity has not yet released a fixed version.
What kind of sensitive data might be exposed?
The vulnerability allows retrieval of embedded sensitive data in the plugin's sent data. This could include user credentials, API keys, authentication tokens, personally identifiable information (PII), or other secrets stored in activity logs. Review your specific Logtivity logging configuration to understand what sensitive data your instance captures.
Is there a workaround if we can't patch immediately?
Temporarily restrict network access to WordPress admin and Logtivity plugin endpoints using a Web Application Firewall (WAF) or network ACLs. This reduces exposure while you prepare for patching, but is not a substitute for applying the fix. Prioritize obtaining and testing a patch as your primary remediation.
This analysis is provided for informational and defensive purposes. Verify all technical details, patch version numbers, and remediation steps against the official Logtivity security advisory and vendor documentation. The vulnerability landscape may evolve; monitor Logtivity and security mailing lists for updated guidance. This explainer does not constitute legal, compliance, or professional security advice. Organizations subject to regulatory frameworks should consult their compliance and legal teams regarding breach notification and remediation timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-4035HIGHMLflow AI Gateway Environment Variable Credential Exposure
- CVE-2026-10101MEDIUMACM/MCE Pull-Secret Credential Exposure via InfraEnv Status
- CVE-2026-42539MEDIUMIRIS Information Disclosure Vulnerability (6.5 CVSS) – Patch to 2.4.28
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)