Description
Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a through <= 1.2.7.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to system logs due to missing authorization checks
Action: Immediate Patch
AI Analysis

Impact

Missing authorization checks in the WP System Log plugin for WordPress allow an attacker to read or otherwise manipulate log data that should be restricted to privileged users. This forms a classic Broken Access Control weakness, as defined by CWE-862, and can expose sensitive operational information or enable further compromise if logs contain exploitable data.

Affected Systems

The vulnerability affects the WP System Log plugin developed by activity‑log.com. All versions from the earliest release up to and including 1.2.7 are impacted. Users running this plugin on any WordPress site are potentially exposed.

Risk and Exploitability

The CVSS score is not supplied, and EPSS information is unavailable, so the quantitative risk is unclear. However, because the flaw resides in a web‑based plugin, exploitation would occur remotely via HTTP requests to the plugin’s endpoints. It is inferred that the attack vector requires web access to the site, and the lack of an authentication requirement for the vulnerable actions suggests that the threat can be exercised by unauthenticated users or those with low privileges.

Generated by OpenCVE AI on March 25, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP System Log plugin to a version newer than 1.2.7 as soon as a fixed release becomes available
  • If an upgraded version is not available, remove or disable the plugin from the WordPress installation
  • Restrict access to the plugin’s administrative interface to trusted administrators only
  • Verify that the applied fix is effective by attempting to access log data after the update or removal

Generated by OpenCVE AI on March 25, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Activity-log.com
Activity-log.com wp System Log
Wordpress
Wordpress wordpress
Vendors & Products Activity-log.com
Activity-log.com wp System Log
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a through <= 1.2.7.
Title WordPress WP System Log plugin <= 1.2.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Activity-log.com Wp System Log
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:07.692Z

Reserved: 2026-01-28T09:50:51.016Z

Link: CVE-2026-24987

cve-icon Vulnrichment

Updated: 2026-03-26T16:32:26.744Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:40.873

Modified: 2026-04-23T15:36:58.720

Link: CVE-2026-24987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:39:41Z

Weaknesses