Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data.
This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6.
AnalysisAI
Sensitive data exposure in the Logtivity Activity Logs, User Activity Tracking, Multisite Activity Log WordPress plugin (versions up to and including 3.3.6) allows remote unauthenticated attackers to retrieve embedded sensitive information from data sent by the plugin. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable exploitation with no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Technical ContextAI
The affected component is a WordPress plugin published by Logtivity that records site activity, user actions, and multisite events. The root cause maps to CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin embeds sensitive values into outbound data - typically log payloads, API responses, or telemetry transmissions - where they become observable to unintended parties. The CPE string cpe:2.3:a:logtivity_activity_logs:... confirms the affected product is the Logtivity plugin family covering activity logs, user activity tracking, and multisite activity logging. Because the plugin's purpose is to capture and transmit event data, the data-sending path is central to its function, making this class of weakness particularly relevant.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory documents the issue through version 3.3.6 but no fixed version is enumerated in the input, so administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/logtivity/vulnerability/wordpress-activity-logs-user-activity-tracking-multisite-activity-log-from-logtivity-plugin-3-3-6-sensitive-data-exposure-vulnerability and the Logtivity vendor site for an updated release beyond 3.3.6 and upgrade as soon as one is available. As compensating controls, deactivate the plugin if activity logging is non-essential (trade-off: loss of audit trail and multisite event visibility), restrict outbound network egress from the WordPress host to only the Logtivity SaaS endpoint to prevent leakage to untrusted destinations (trade-off: may break legitimate integrations if egress rules are too narrow), and place any plugin-exposed REST or AJAX endpoints behind authentication via a WAF rule or .htaccess restriction (trade-off: may prevent legitimate unauthenticated callers if any exist). Rotate any secrets, API tokens, or session identifiers that may have been written into log payloads transmitted by the plugin.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33690
GHSA-873w-p97p-f26x