PatchSiren cyber security CVE debrief
CVE-2026-8198 Plugins CVE debrief
CVE-2026-8198 is a WordPress plugin vulnerability in Logtivity versions up to and including 3.3.6. A logic flaw in the plugin’s authorization verification can allow requests without an Authorization header to bypass Bearer token validation and reach the /wp-json/logtivity/v1/options endpoint. The result is information disclosure of plugin configuration data, including a site API key that could be used to impersonate the site in Logtivity service API calls. The issue was published on 2026-05-09 and is rated CVSS 5.3 (medium).
- Vendor
- Plugins
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-09
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-09
- Advisory updated
- 2026-05-09
Who should care
WordPress administrators and security teams running the Logtivity plugin should treat this as relevant, especially if the plugin is installed on public-facing sites or the Logtivity service integration is in use. Any environment using versions 3.3.6 or earlier may expose configuration data through the REST API endpoint.
Technical summary
According to the supplied references, the vulnerable code is in Logtivity_Rest_Endpoints.php. In versions 3.3.6 and earlier, the verifyAuthorization method can skip Bearer token validation when the Authorization header is absent and then fall through to an unconditional return true path. That breaks access control for the /wp-json/logtivity/v1/options REST endpoint, allowing unauthenticated access to stored plugin options. The disclosed data includes logtivity_site_api_key, which materially increases impact because it may allow site impersonation in Logtivity service API requests. The issue maps to CWE-200 (information exposure) in the provided source metadata.
Defensive priority
Medium. The CVSS score is moderate, but the exposure includes a secret that may be usable for downstream impersonation, so affected sites should prioritize remediation if the plugin is installed and reachable.
Recommended defensive actions
- Update Logtivity to version 3.3.7 or later, which is the fixed version referenced in the source corpus.
- Verify whether any systems or users could have accessed /wp-json/logtivity/v1/options without valid authorization before patching.
- Treat any exposed logtivity_site_api_key as sensitive and replace it if your Logtivity service workflow supports key regeneration or replacement.
- Review site and application logs for unexpected REST API access to Logtivity endpoints around the disclosure date and afterward.
- Restrict exposure of administrative and plugin REST endpoints where possible, and confirm the plugin is only installed on sites that actually need it.
Evidence notes
This debrief is based on the supplied NVD record and Wordfence-referenced source links. The key evidence is the Logtivity_Rest_Endpoints.php code in 3.3.6 and 3.3.7, plus the WordPress changeset reference indicating a fix in 3.3.7. The supplied metadata identifies the weakness as CWE-200 and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. No exploit steps or unsupported details were used.
Official resources
Publicly disclosed on 2026-05-09 in the supplied NVD record, with supporting source references pointing to the vulnerable 3.3.6 code and the 3.3.7 fix.