Skip to main content

Simple History CVE-2026-7459

| EUVDEUVD-2026-33455 HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-05-30 Wordfence GHSA-9jh7-hmgx-8gq5
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 30, 2026 - 09:57 vuln.today
CVE Published
May 30, 2026 - 09:29 nvd
HIGH 7.5

DescriptionCVE.org

The Simple History - Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event - including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.

AnalysisAI

Authenticated privilege escalation to administrator in the Simple History WordPress plugin (versions through 5.26.0) allows a Subscriber-level user to read password-reset email contents logged by SimpleUserLogger and hijack admin accounts. The react/unreact event endpoints reuse a permission callback that only checks for a logged-in user, exposing full event context including reset URLs and keys. No public exploit identified at time of analysis, and exploitation requires that an administrator previously enabled the non-default experimental features option.

Technical ContextAI

Simple History is a popular WordPress audit-logging plugin that records site activity, including events emitted by its bundled SimpleUserLogger such as password-reset email bodies. The flaw lives in inc/class-wp-rest-events-controller.php where the REST routes /wp-json/simple-history/v1/events/<id>/react and /unreact register get_items_permissions_check() as their permission_callback. That callback only enforces is_user_logged_in() and skips the per-logger capability checks that Log_Query normally applies when reading event context. Combined with WordPress's REST _fields=context selector, this lets any authenticated session retrieve the full context payload of arbitrary event IDs. This is a textbook CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) issue because the recovery secret - the reset key embedded in context.message - is exposed to an unauthorized actor.

RemediationAI

Upstream fix available (commit/changeset 3524112 at https://plugins.trac.wordpress.org/changeset/3524112/simple-history/trunk/inc/class-wp-rest-events-controller.php); released patched version not independently confirmed beyond the 5.26.0 vulnerable tag, so administrators should update Simple History to the latest available release after 5.26.0 as soon as their plugin repository surfaces it and confirm the patched permission_callback enforces per-logger capability checks. Until the update is applied, the most effective workaround is to disable the experimental features option (simple_history_experimental_features_enabled) since the vulnerable react/unreact endpoints are only reachable when that flag is on; this removes the attack surface at the cost of losing the experimental reaction functionality. Sites that allow open Subscriber registration should additionally consider temporarily disabling new user registration or restricting access to /wp-json/simple-history/* via a WAF rule that requires editor-or-higher capability, accepting the trade-off that legitimate low-privilege REST consumers will be blocked. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/95d2bf1a-0993-4553-a00e-6f555c3f15be?source=cve for ongoing detail.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-7459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy