CVE-2026-8198

Name of the Vulnerable Software and Affected Versions Logtivity versions prior to 3.3.7

Description A logic flaw in the verifyAuthorization() function allows unauthenticated attackers to bypass authentication checks. Requests that omit the Authorization header skip Bearer token validation and trigger an unconditional return true statement. This enables unauthorized access to the '/wp-json/logtivity/v1/options' REST API endpoint, allowing the retrieval of plugin configuration options, including the logtivity site api key variable, which can be used to impersonate the site in API calls to the Logtivity service.

Recommendations Update to a version newer than 3.3.6. Restrict access to the '/wp-json/logtivity/v1/options' endpoint to minimize the risk of information disclosure.