{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24987", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:51.016Z", "datePublished": "2026-03-25T16:14:36.023Z", "dateUpdated": "2026-04-28T16:14:52.658Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "winterlock", "product": "WP System Log", "vendor": "activity-log.com", "versions": [{"changes": [{"at": "1.2.8", "status": "unaffected"}], "lessThanOrEqual": "1.2.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:27.774Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP System Log: from n/a through <= 1.2.7.</p>"}], "value": "Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a through <= 1.2.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.658Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/winterlock/vulnerability/wordpress-wp-system-log-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP System Log plugin <= 1.2.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:44:39.460419Z", "id": "CVE-2026-24987", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:38:51.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24987", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:39.460419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:26.744Z"}}], "cna": {"title": "WordPress WP System Log plugin <= 1.2.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "activity-log.com", "product": "WP System Log", "versions": [{"status": "affected", "changes": [{"at": "1.2.8", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.7"}], "packageName": "winterlock", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:27.774Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/winterlock/vulnerability/wordpress-wp-system-log-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a through <= 1.2.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP System Log: from n/a through <= 1.2.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.692Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24987", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:38:51.210Z", "dateReserved": "2026-01-28T09:50:51.016Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:36.023Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a through <= 1.2.7."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en activity-log.com WP System Log winterlock permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP System Log: desde n/a hasta &lt;= 1.2.7."}], "id": "CVE-2026-24987", "lastModified": "2026-04-28T16:16:08.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:40.873", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/winterlock/vulnerability/wordpress-wp-system-log-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.2.8,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP System Log", "source": "cna", "vendor": "activity-log.com"}, "product": "wp_system_log", "vendor": "activity-log.com"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:37:08.208898+00:00", "value": {"mitigation_remediation": ["Upgrade the WP System Log plugin to a version newer than 1.2.7 as soon as a fixed release becomes available", "If an upgraded version is not available, remove or disable the plugin from the WordPress installation", "Restrict access to the plugin\u2019s administrative interface to trusted administrators only", "Verify that the applied fix is effective by attempting to access log data after the update or removal"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to system logs due to missing authorization checks"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WP System Log plugin developed by activity\u2011log.com. All versions from the earliest release up to and including 1.2.7 are impacted. Users running this plugin on any WordPress site are potentially exposed.", "description_and_impact": "Missing authorization checks in the WP System Log plugin for WordPress allow an attacker to read or otherwise manipulate log data that should be restricted to privileged users. This forms a classic Broken Access Control weakness, as defined by CWE-862, and can expose sensitive operational information or enable further compromise if logs contain exploitable data.", "risk_and_exploitability": "The CVSS score is not supplied, and EPSS information is unavailable, so the quantitative risk is unclear. However, because the flaw resides in a web\u2011based plugin, exploitation would occur remotely via HTTP requests to the plugin\u2019s endpoints. It is inferred that the attack vector requires web access to the site, and the lack of an authentication requirement for the vulnerable actions suggests that the threat can be exercised by unauthenticated users or those with low privileges."}}}}, "created": "2026-03-25T21:34:26.541963+00:00", "updated": "2026-03-26T11:39:41.201611+00:00", "vendors": ["activity-log.com", "activity-log.com$PRODUCT$wp_system_log", "wordpress", "wordpress$PRODUCT$wordpress"]}