WordPress Plugin Vulnerabilities

Activity Log for WordPress < 1.2.9 - Missing Authorization to Sensitive Information Exposure via Log File

Description

The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view potentially sensitive information (e.g., the password of a higher level user, such as an administrator) contained in the exposed log files.

Affects Plugins

Plugin icon
winterlock
Fixed in 1.2.9

References

CVE
CVE-2026-1671
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec4c17-24c1-4ed3-a3d3-9404ad7af420

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777)
Verified
No
WPVDB ID
ffcd52cc-424a-458b-b54d-94a01df5f225

Timeline

Publicly Published
2026-02-11 (about 1 month ago)
Added
2026-02-12 (about 1 month ago)
Last Updated
2026-02-12 (about 1 month ago)

Other

Published
Title
Published
2024-12-14
Title
WP-CRM System < 3.4.0 - Unauthenticated Duplicate Contact Settings Update
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Template Kit Import
Published
2025-12-04
Title
Xagio SEO <= 7.1.0.29 - Missing Authorization
Published
2024-06-07
Title
Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update
Published
2024-04-15
Title
Mega Addons For Elementor < 1.9 - Missing Authorization