CVE-2026-7459
Deferred Deferred - Pending Action
Authenticated Account Takeover in Simple History WordPress Plugin

Publication date: 2026-05-30

Last updated on: 2026-06-01

Assigner: Wordfence

Description
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event β€” including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-30
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-7459
EUVD
EUVD-2026-33455
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
simple_history simple_history to 5.26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress, in all versions up to and including 5.26.0. It allows an authenticated user with Subscriber-level permissions to take over higher-privileged accounts, such as administrators.

This happens because the plugin's event reaction endpoints (react_to_event() / unreact_to_event()) only check if the requester is logged in, without enforcing proper capability checks. As a result, a Subscriber can access sensitive event data, including password-reset email contents that contain reset URLs and keys.

An attacker can trigger a password reset for an administrator, then brute-force event IDs to find the password reset event containing the reset key, and use that key to complete the password reset and take over the administrator account. Exploitation requires that the administrator has enabled an experimental features option, which is not enabled by default.

Impact Analysis

This vulnerability can lead to a complete account takeover of administrator accounts by users with only Subscriber-level access. This means an attacker can gain full control over the WordPress site.

With administrator privileges, the attacker can modify site content, install malicious plugins or themes, steal sensitive data, disrupt site operations, or use the compromised site for further attacks.

The impact is severe as it compromises the confidentiality, integrity, and availability of the affected WordPress site.

Compliance Impact

This vulnerability allows a Subscriber-level user to gain access to sensitive information, including password-reset email bodies containing reset URLs and keys, which can lead to administrator account takeover.

Such unauthorized access to sensitive user data and account takeover risks violating data protection requirements under regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to inadequate access controls and potential exposure of personal data.

Detection Guidance

Detection of this vulnerability involves checking if the Simple History plugin for WordPress is installed and running a version up to and including 5.26.0.

Additionally, verify if the experimental features option (simple_history_experimental_features_enabled) is enabled, as exploitation requires this setting to be active.

To detect potential exploitation attempts, monitor POST requests to the endpoint /wp-json/simple-history/v1/events/<id>/react, especially those including the _fields=context query parameter from Subscriber-level accounts.

Suggested commands to check plugin version and settings on the WordPress server include:

  • Use WP-CLI to check the plugin version: wp plugin status simple-history
  • Check the experimental features option via WP-CLI or by inspecting the database option simple_history_experimental_features_enabled.
  • Monitor web server logs or use tools like tcpdump or Wireshark to detect suspicious POST requests to the vulnerable endpoint.
Mitigation Strategies

Immediate mitigation steps include:

  • Disable the experimental features option (simple_history_experimental_features_enabled) if it is enabled.
  • Update the Simple History plugin to a version later than 5.26.0 where this vulnerability is fixed.
  • Restrict access to the vulnerable endpoints by limiting permissions or applying additional access controls.
  • Monitor logs for suspicious activity related to the /wp-json/simple-history/v1/events/<id>/react endpoint.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7459. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart