CVE-2026-3569
MEDIUM
NVD
CVSS Score
5.3
Severity
MEDIUM
Published
Apr 24, 2026
Vendor
unknown
Description
The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the /wp-json/site-prober/v1/logs REST API endpoint. The permissions_read() permission callback unconditionally returns true (via __return_true()) instead of checking for appropriate capabilities. This makes it possible for unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, login/logout events, failed login attempts, and detailed activity descriptions.
References
- https://plugins.trac.wordpress.org/browser/liaison-site-prober/tags/1.2.1/includes/class-liaison-rest-controller.php#L19
- https://plugins.trac.wordpress.org/browser/liaison-site-prober/tags/1.2.1/includes/class-liaison-rest-controller.php#L50
- https://plugins.trac.wordpress.org/browser/liaison-site-prober/tags/1.2.1/includes/class-liaison-rest-controller.php#L90
- https://plugins.trac.wordpress.org/browser/liaison-site-prober/trunk/includes/class-liaison-rest-controller.php#L19
- https://plugins.trac.wordpress.org/browser/liaison-site-prober/trunk/includes/class-liaison-rest-controller.php#L50