CVE-2026-1671
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Data Access in WordPress Activity Log Plugin

Publication date: 2026-02-12

Last updated on: 2026-02-12

Assigner: Wordfence

Description
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view potentially sensitive information (e.g., the password of a higher level user, such as an administrator) contained in the exposed log files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1671
EUVD
EUVD-2026-7043
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence winter_activity_log to 1.2.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Activity Log for WordPress plugin is vulnerable due to a missing capability check in the winter_activity_log_action() function in all versions up to and including 1.2.8.

This vulnerability allows authenticated attackers with Subscriber-level access or higher to access sensitive information contained in the plugin's log files.

Specifically, attackers can view potentially sensitive data such as the passwords of higher-level users like administrators.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in the plugin's activity logs.

An attacker with Subscriber-level access could exploit this flaw to view passwords and other sensitive data of higher privileged users, potentially leading to privilege escalation or account compromise.

Such exposure can undermine the security of the WordPress site and its users.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability exists in all versions of the Activity Log for WordPress plugin up to and including version 1.2.8. To mitigate this vulnerability, you should update the plugin to a version later than 1.2.8 where the missing capability check issue is resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1671. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart