CVE-2026-42673 Logtivity Activity Logs CVE debrief

Who should care

WordPress site administrators using the Logtivity Activity Logs plugin, security teams monitoring WordPress environments, and compliance officers responsible for data protection in content management systems.

Technical summary

The Logtivity Activity Logs plugin for WordPress (versions through 3.3.6) contains an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201). The plugin captures and transmits activity log data without adequately filtering or protecting embedded sensitive information. An unauthenticated remote attacker can exploit this weakness to retrieve confidential data from responses sent by the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects network accessibility, low attack complexity, no required privileges or user interaction, and high impact to confidentiality with no impact to integrity or availability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Logtivity Activity Logs plugin to a version newer than 3.3.6 as soon as a patched release becomes available
• Review plugin settings and logged data fields to identify any sensitive information that may have been captured or transmitted
• Audit WordPress site access logs for unusual unauthenticated requests targeting Logtivity endpoints around and after 2026-06-01
• Consider temporarily disabling the plugin if no patch is available and the functionality is not critical
• Implement Web Application Firewall rules to restrict access to Logtivity API endpoints if feasible
• Review and rotate any credentials or tokens that may have been logged by the plugin

Evidence notes

Vulnerability identified via Patchstack audit. CVSS vector confirms network attack vector with low complexity, no privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact.

Official resources