Plugins CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Plugins CVE published 2026-05-09

CVE-2026-8198

CVE-2026-8198 is a WordPress plugin vulnerability in Logtivity versions up to and including 3.3.6. A logic flaw in the plugin’s authorization verification can allow requests without an Authorization header to bypass Bearer token validation and reach the /wp-json/logtivity/v1/options endpoint. The result is information disclosure of plugin configuration data, including a site API key that could be used to [truncated]

MEDIUM Plugins CVE published 2026-05-09

CVE-2026-7652

CVE-2026-7652 is an unauthenticated account-takeover issue in the LatePoint WordPress plugin's guest booking flow. In the vulnerable configuration described in the source record, a guest booking can overwrite a customer's email and that email can then be propagated to a linked WordPress user account without ownership verification, allowing a password-reset hijack.