Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a through <= 1.2.7.
AnalysisAI
Authenticated users can bypass authorization controls in WP System Log plugin versions up to 1.2.7 to modify system logs due to improper access control validation. An attacker with valid credentials could alter log data to cover tracks or manipulate audit records without additional privileges. No patch is currently available for this vulnerability.
Technical ContextAI
WP System Log is a WordPress plugin (CPE: cpe:2.3:a:activity-log.com:wp_system_log:*:*:*:*:*:*:*:*) designed to monitor and log system activities within WordPress installations. The vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a software system fails to perform proper authorization checks before allowing a user to access protected resources or perform sensitive operations. In this case, the plugin's access control mechanisms are misconfigured, allowing users to interact with activity logging functionality without satisfying the required capability checks or role-based access control (RBAC) mechanisms that WordPress typically enforces through its nonces, capabilities system, and user role hierarchy. The root cause involves insufficient validation of user permissions before processing requests that interact with system logs.
RemediationAI
Immediately upgrade WP System Log to the latest available version beyond 1.2.7; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/winterlock/vulnerability/wordpress-wp-system-log-plugin-1-2-7-broken-access-control-vulnerability) and the official activity-log.com plugin repository for the patched release version and upgrade instructions. As an interim workaround pending patching, restrict access to the WP System Log plugin's functionality by using WordPress user role management to limit exposure to trusted administrator accounts only, and consider temporarily disabling the plugin if it is not immediately critical to operations. Additionally, audit recent activity logs for any suspicious access patterns or unauthorized modifications that may have occurred while the plugin was vulnerable.
More in Wp System Log
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15606
GHSA-8gw9-9659-grwg