Liaison Site Prober EUVD-2026-25406

| CVE-2026-3569 MEDIUM
Missing Authorization (CWE-862)
2026-04-24 Wordfence GHSA-x2pj-x7hv-qm35
WordPress Authentication Bypass Information Disclosure
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 24, 2026 - 08:30 vuln.today

DescriptionNVD

The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the /wp-json/site-prober/v1/logs REST API endpoint. The permissions_read() permission callback unconditionally returns true (via __return_true()) instead of checking for appropriate capabilities. This makes it possible for unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, login/logout events, failed login attempts, and detailed activity descriptions.

AnalysisAI

Liaison Site Prober plugin for WordPress allows unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, and login events through an improperly secured REST API endpoint (/wp-json/site-prober/v1/logs) in all versions up to 1.2.1. The vulnerability stems from a permission callback that unconditionally returns true without validating user capabilities, enabling information disclosure with network-level access and no authentication required. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-25406 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy