Description
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data.

This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6.
Published: 2026-06-01
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an insertion of sensitive information into the data sent by the plugin’s logs, allowing an attacker to retrieve embedded sensitive data. The weakness is a classic data exposure flaw, aligning with the CWE-201 category. As a result, any entity that has access to the activity logs can view confidential information that should not be visible, potentially leaking credentials, personal data, or other secrets.

Affected Systems

The Logtivity Activity Logs, User Activity Tracking, Multisite Activity Log plugin, versions up to and including 3.3.6, is affected. All WordPress sites that have installed this plugin within this version range are at risk. No specific WordPress core version is mentioned, so the vulnerability applies broadly to any WordPress instance using a vulnerable plugin release.

Risk and Exploitability

The reported CVSS score of 7.5 indicates a high severity. EPSS data is unavailable, but the vulnerability is not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation yet. The attack vector is not disclosed in the description; however, it is reasonable to infer that an attacker would need (or be able to obtain) access to the activity logs, which may be visible to authenticated users or potentially to all visitors depending on plugin configuration. Once accessed, the sensitive information can be exfiltrated by the attacker.

Generated by OpenCVE AI on June 1, 2026 at 18:41 UTC.

Remediation

Vendor Solution

Update the WordPress Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity Plugin to the latest available version (at least 3.3.7).

OpenCVE Recommended Actions

  • Update the Logtivity plugin to version 3.3.7 or later, which removes the data exposure flaw.
  • Disable or restrict log visibility for administrators and regular users to prevent accidental exposure of sensitive data.
  • Delete any existing logs that may contain sensitive information prior to applying the patch.

Generated by OpenCVE AI on June 1, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6.
Title WordPress Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin <= 3.3.6 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-01T17:06:40.773Z

Reserved: 2026-04-29T09:04:52.624Z

Link: CVE-2026-42673

cve-icon Vulnrichment

Updated: 2026-06-01T17:06:34.641Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:16:59.793

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-42673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:45:34Z

Weaknesses