CVE-2026-1671 identifies a missing authorization vulnerability (CWE-862) in the Activity Log for WordPress plugin developed by switcorp, affecting all versions up to and including 1.2.8. The vulnerability exists because the winter_activity_log_action() function lacks proper capability checks, allowing any authenticated user with Subscriber-level privileges or higher to access sensitive information stored in activity log files. These logs may contain critical data such as administrator passwords or other confidential details, which should normally be restricted to high-privilege users. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, privileges required at a low level, no user interaction, unchanged scope, and high impact on confidentiality but no impact on integrity or availability. No patches or exploits are currently publicly available, but the flaw poses a significant risk to confidentiality if exploited. The plugin is widely used in WordPress environments, which are prevalent globally, making this a relevant threat for many organizations that rely on WordPress for content management and user activity auditing.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information, including potentially administrator passwords and other confidential log data. This breach of confidentiality can lead to privilege escalation, unauthorized access to administrative functions, and further compromise of the affected WordPress site. Organizations relying on the Activity Log plugin for auditing and security monitoring may have their logs exposed to lower-privileged users, undermining trust and security posture. While the vulnerability does not affect system integrity or availability directly, the exposure of sensitive credentials can facilitate more severe attacks such as account takeover, data theft, or site defacement. The ease of exploitation by any authenticated user with minimal privileges increases the risk, especially in environments with many users or where subscriber accounts are common. This can affect websites ranging from small blogs to large enterprise portals, potentially impacting customer data, internal communications, and operational security.

To mitigate this vulnerability, organizations should immediately restrict Subscriber-level user access where possible, minimizing the number of users with such privileges. Administrators should audit existing user roles and permissions to ensure no unnecessary accounts have access to the WordPress backend. Since no patch is currently available, consider disabling or uninstalling the Activity Log plugin temporarily if feasible. Monitor logs for unusual access patterns or attempts to retrieve sensitive log data. When a patch is released, apply it promptly to restore proper authorization checks. Additionally, implement file system permissions to restrict access to log files at the server level, ensuring that only authorized users and processes can read sensitive logs. Employ multi-factor authentication for all administrative accounts to reduce the risk of credential compromise. Regularly review and update WordPress and plugin versions to maintain security hygiene.