Skip to main content

Wp System Log CVE-2026-24987

| EUVDEUVD-2026-15606 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-8gw9-9659-grwg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15606
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a through <= 1.2.7.

AnalysisAI

Authenticated users can bypass authorization controls in WP System Log plugin versions up to 1.2.7 to modify system logs due to improper access control validation. An attacker with valid credentials could alter log data to cover tracks or manipulate audit records without additional privileges. No patch is currently available for this vulnerability.

Technical ContextAI

WP System Log is a WordPress plugin (CPE: cpe:2.3:a:activity-log.com:wp_system_log:*:*:*:*:*:*:*:*) designed to monitor and log system activities within WordPress installations. The vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a software system fails to perform proper authorization checks before allowing a user to access protected resources or perform sensitive operations. In this case, the plugin's access control mechanisms are misconfigured, allowing users to interact with activity logging functionality without satisfying the required capability checks or role-based access control (RBAC) mechanisms that WordPress typically enforces through its nonces, capabilities system, and user role hierarchy. The root cause involves insufficient validation of user permissions before processing requests that interact with system logs.

RemediationAI

Immediately upgrade WP System Log to the latest available version beyond 1.2.7; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/winterlock/vulnerability/wordpress-wp-system-log-plugin-1-2-7-broken-access-control-vulnerability) and the official activity-log.com plugin repository for the patched release version and upgrade instructions. As an interim workaround pending patching, restrict access to the WP System Log plugin's functionality by using WordPress user role management to limit exposure to trusted administrator accounts only, and consider temporarily disabling the plugin if it is not immediately critical to operations. Additionally, audit recent activity logs for any suspicious access patterns or unauthorized modifications that may have occurred while the plugin was vulnerable.

Share

CVE-2026-24987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy