CVE-2026-3569 MEDIUM

CVE-2026-3569: Liaison Site Prober <= 1.2.1 - Missing Authorization to Unauthenticated Information Exposure in '/logs' REST API Endpoint

Vendor Liaison
Product Liaison Site Prober
Weakness CWE-862 · Missing authorization
Published April 24, 2026
Last update April 24, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the /wp-json/site-prober/v1/logs REST API endpoint. The permissions_read() permission callback unconditionally returns true (via __return_true()) instead of checking for appropriate capabilities. This makes it possible for unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, login/logout events, failed login attempts, and detailed activity descriptions.

Explanation of Vulnerability in Simple Terms

02Summary

Liaison Site Prober versions 1.2.1 and earlier lack proper authorization checks, allowing unauthenticated attackers to read sensitive information. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 1.2.1 to prevent unauthorized data disclosure.

What an attacker can do

03Attacker Capabilities

Read sensitive information without authentication.

Potential impact on your site

04Site Impact

Unauthorized users can access confidential data exposed by the Site Prober application.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2026-40778 WordPress Majestic Support plugin <= 1.1.2 - Broken Access Control vulnerability CVE-2019-25139 Coming Soon Page & Maintenance Mode <= 1.8.1 - Unauthenticated Settings Reset CVE-2024-33944 WordPress WooCommerce AWeber Newsletter Subscription plugin <= 4.0.2 - Unauthenticated Access Token Change/Reset vulnerability CVE-2024-5770 WP Force SSL & HTTPS SSL Redirect <= 1.66 - Missing Authorization to Settings Update CVE-2023-47180 WordPress Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin <= 2.16.0 - Arbitrary Content Deletion vulnerability