Skip to main content

Logtivity Activity Logs EUVDEUVD-2026-33690

| CVE-2026-42673 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-01 Patchstack GHSA-873w-p97p-f26x
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 17:18 vuln.today

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data.

This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6.

AnalysisAI

Sensitive data exposure in the Logtivity Activity Logs, User Activity Tracking, Multisite Activity Log WordPress plugin (versions up to and including 3.3.6) allows remote unauthenticated attackers to retrieve embedded sensitive information from data sent by the plugin. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable exploitation with no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Technical ContextAI

The affected component is a WordPress plugin published by Logtivity that records site activity, user actions, and multisite events. The root cause maps to CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin embeds sensitive values into outbound data - typically log payloads, API responses, or telemetry transmissions - where they become observable to unintended parties. The CPE string cpe:2.3:a:logtivity_activity_logs:... confirms the affected product is the Logtivity plugin family covering activity logs, user activity tracking, and multisite activity logging. Because the plugin's purpose is to capture and transmit event data, the data-sending path is central to its function, making this class of weakness particularly relevant.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory documents the issue through version 3.3.6 but no fixed version is enumerated in the input, so administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/logtivity/vulnerability/wordpress-activity-logs-user-activity-tracking-multisite-activity-log-from-logtivity-plugin-3-3-6-sensitive-data-exposure-vulnerability and the Logtivity vendor site for an updated release beyond 3.3.6 and upgrade as soon as one is available. As compensating controls, deactivate the plugin if activity logging is non-essential (trade-off: loss of audit trail and multisite event visibility), restrict outbound network egress from the WordPress host to only the Logtivity SaaS endpoint to prevent leakage to untrusted destinations (trade-off: may break legitimate integrations if egress rules are too narrow), and place any plugin-exposed REST or AJAX endpoints behind authentication via a WAF rule or .htaccess restriction (trade-off: may prevent legitimate unauthenticated callers if any exist). Rotate any secrets, API tokens, or session identifiers that may have been written into log payloads transmitted by the plugin.

Share

EUVD-2026-33690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy