How is CVE-2026-42673 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS to trigger the data leak. Authentication (not-required): No account or session credentials are needed; the flaw is exploitable by any unauthenticated party who can send a request to the affected service. Victim interaction (not-required): The attacker does not need to trick or involve any user; exploitation is fully automated and requires no social-engineering step. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and condition-free with no race conditions or special environmental factors required.

What is the impact of CVE-2026-42673?

An attacker retrieves sensitive information embedded in data the plugin transmits, which may include API keys, session tokens, user credentials, or other application secrets depending on what the plugin logs and sends. Exposed credentials or tokens can be replayed to authenticate to connected services or administrative interfaces, extending the attacker's reach beyond the WordPress host. Logged user-activity data containing personally identifiable information (PII) or behavioral records may be disclosed, creating regulatory and compliance exposure for the affected organization.

Back to search

HIGHCVE-2026-42673Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42673: WordPress Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin <= 3.3.6 - Sensitive Data Exposure vulnerability

Q: What is CVE-2026-42673?

This is a sensitive data exposure vulnerability in the Logtivity Activity Logs, User Activity Tracking, and Multisite Activity Log WordPress plugin (versions up to and including 3.3.6). The plugin inserts sensitive information into data it transmits over the network, and the flaw is reachable remotely without any authentication. Successful exploitation allows an attacker to retrieve embedded sensitive data from the transmitted payload, resulting in confidentiality loss. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-42673 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and relevant upstream sources on every ingest cycle. The moment a patched release is available, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically.

Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sensitive data exposure vulnerability in the Logtivity Activity Logs, User Activity Tracking, and Multisite Activity Log WordPress plugin (versions up to and including 3.3.6). The plugin inserts sensitive information into data it transmits over the network, and the flaw is reachable remotely without any authentication. Successful exploitation allows an attacker to retrieve embedded sensitive data from the transmitted payload, resulting in confidentiality loss. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Patchstack advisory feed) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle this plugin. No manual scan trigger is required.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (HIGH) per the v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are automatically dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and relevant upstream sources on every ingest cycle. The moment a patched release is available, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS to trigger the data leak.
AuthenticationNot required
No account or session credentials are needed; the flaw is exploitable by any unauthenticated party who can send a request to the affected service.
Victim interactionNot required
The attacker does not need to trick or involve any user; exploitation is fully automated and requires no social-engineering step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and condition-free with no race conditions or special environmental factors required.

Blast Radius

An attacker retrieves sensitive information embedded in data the plugin transmits, which may include API keys, session tokens, user credentials, or other application secrets depending on what the plugin logs and sends.
Exposed credentials or tokens can be replayed to authenticate to connected services or administrative interfaces, extending the attacker's reach beyond the WordPress host.
Logged user-activity data containing personally identifiable information (PII) or behavioral records may be disclosed, creating regulatory and compliance exposure for the affected organization.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists as of the CVE publication date, HarborGuard continuously monitors the Patchstack advisory and associated upstream sources on every ingest cycle and will surface a patched-image rebuild the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations, such as restricting outbound egress from WordPress containers to only known-good endpoints, isolating affected deployments with tightened ingress rules, or using a web application firewall rule to block suspicious enumeration of transmitted payloads. For customers who opt into auto-remediation, once a fix version is published, HarborGuard will trigger a rebuild, run regression tests, and open a PR against affected workloads automatically, with median time from CVE resolution to merged patch PR for high-severity issues around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

Logtivity Activity Logs / Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity
≤ 3.3.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified