WP-Safety
CVE-2026-24987

Activity Log for WordPress <= 1.2.7 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.2.8
Patched in
11d
Time to patch

Description

The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.7
PublishedMarch 17, 2026
Last updatedMarch 27, 2026
Affected pluginwinterlock

What Changed in the Fix

Changes introduced in v1.2.8

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.2.7
Browse source Download .zip
Patched v1.2.8
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24987 (Activity Log for WordPress) ## 1. Vulnerability Summary The **Activity Log for WordPress (winterlock)** plugin <= 1.2.7 suffers from a **Missing Authorization** vulnerability. The plugin uses a custom MVC framework (Winter MVC) where controller methods …

Show full research plan

Exploitation Research Plan: CVE-2026-24987 (Activity Log for WordPress)

1. Vulnerability Summary

The Activity Log for WordPress (winterlock) plugin <= 1.2.7 suffers from a Missing Authorization vulnerability. The plugin uses a custom MVC framework (Winter MVC) where controller methods are mapped to admin.php pages via the page and function query parameters. Multiple sensitive functions in controllers like Wal_history, Wal_reports, and Wal_cloudintegration lack capability checks (current_user_can or the plugin's internal wal_access_allowed) and nonce verification. This allows authenticated users with Subscriber-level access to perform unauthorized actions, such as modifying log favorites or creating system reports.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin.php
  • Query Parameters:
    • page: The controller slug (e.g., wal_history, wal_reports).
    • function: The method to execute (e.g., save_history, report_edit).
  • Required Role: Subscriber (or any authenticated user).
  • Nonce: None required for the vulnerable methods identified.
  • Payload:
    • For save_history: id (the ID of the activity log entry).
    • For report_edit: POST parameters like report_name, report_email, etc.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Activity Log for WordPress plugin (winterlock) lacks capability checks and nonce verification on numerous controller methods exposed through its custom MVC routing. This allows authenticated attackers with Subscriber-level permissions to perform unauthorized actions such as modifying log records, creating/editing system reports, and accessing sensitive log data via AJAX-style datatable endpoints.

Vulnerable Code

// application/controllers/Wal_history.php lines 61-68
	public function save_history()
	{
        $this->load->model('History_m');

        $id = $this->input->post_get('id');

        $this->history_m->update(array('is_favourite'=>1), $id);

        exit();
    }

---

// application/controllers/Wal_reports.php lines 17-30
    public function report_edit()
    {
        $this->load->model('log_m');
        $this->load->model('report_m');

        $report_id = $this->input->post_get('id');

        // Prepare db data
        $this->data['db_data'] = NULL;

        if(!empty($report_id))
            $this->data['db_data'] = $this->report_m->get($report_id, TRUE);

---

// application/controllers/Wal_history.php lines 79-85
	public function datatable()
	{
        //$this->enable_error_reporting();
        remove_action( 'shutdown', 'wp_ob_end_flush_all', 1 );

        // configuration
        $columns = array('idhistory', 'level', 'date', 'avatar', 'user_info', 'description', 'page', 'action');

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.7/application/controllers/Wal_cloudintegration.php /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.8/application/controllers/Wal_cloudintegration.php
--- /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.7/application/controllers/Wal_cloudintegration.php	2026-01-17 14:00:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.8/application/controllers/Wal_cloudintegration.php	2026-02-11 21:30:56.000000000 +0000
@@ -277,6 +277,14 @@
 	// json for datatables
 	public function datatable()
 	{
+
+        if ( ! current_user_can( 'administrator' ) ) {
+            exit();
+        }
+        
+        check_ajax_referer('winterlock_secure_ajax', 'winterlock_secure');
+
+
         //$this->enable_error_reporting();
         remove_action( 'shutdown', 'wp_ob_end_flush_all', 1 );
 
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.7/application/controllers/Wal_history.php /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.8/application/controllers/Wal_history.php
--- /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.7/application/controllers/Wal_history.php	2026-01-17 14:00:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/winterlock/1.2.8/application/controllers/Wal_history.php	2026-02-11 21:30:56.000000000 +0000
@@ -71,6 +71,13 @@
 	// json for datatables
 	public function datatable()
 	{
+
+        if ( ! current_user_can( 'administrator' ) ) {
+            exit();
+        }
+        
+        check_ajax_referer('winterlock_secure_ajax', 'winterlock_secure');
+        
         //$this->enable_error_reporting();
         remove_action( 'shutdown', 'wp_ob_end_flush_all', 1 );

Exploit Outline

To exploit this vulnerability, an authenticated attacker with Subscriber-level access needs to access the WordPress admin panel and target the plugin's custom MVC router via `/wp-admin/admin.php`. By manipulating the 'page' (controller) and 'function' (method) query parameters, the attacker can execute sensitive logic. For example, a GET request to `admin.php?page=wal_history&function=save_history&id=[LOG_ID]` allows unauthorized modification of activity log statuses. Similarly, POST requests to `admin.php?page=wal_reports&function=report_edit` can be used to create or modify system reports. Information disclosure is possible by hitting various `datatable` functions which return JSON-formatted system logs and user data without verifying the requester's administrative capabilities.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa93cf13-0578-447e-8b03-24f5f48fc782?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database