Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Simple History - Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event - including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.
AnalysisAI
Authenticated privilege escalation to administrator in the Simple History WordPress plugin (versions through 5.26.0) allows a Subscriber-level user to read password-reset email contents logged by SimpleUserLogger and hijack admin accounts. The react/unreact event endpoints reuse a permission callback that only checks for a logged-in user, exposing full event context including reset URLs and keys. No public exploit identified at time of analysis, and exploitation requires that an administrator previously enabled the non-default experimental features option.
Technical ContextAI
Simple History is a popular WordPress audit-logging plugin that records site activity, including events emitted by its bundled SimpleUserLogger such as password-reset email bodies. The flaw lives in inc/class-wp-rest-events-controller.php where the REST routes /wp-json/simple-history/v1/events/<id>/react and /unreact register get_items_permissions_check() as their permission_callback. That callback only enforces is_user_logged_in() and skips the per-logger capability checks that Log_Query normally applies when reading event context. Combined with WordPress's REST _fields=context selector, this lets any authenticated session retrieve the full context payload of arbitrary event IDs. This is a textbook CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) issue because the recovery secret - the reset key embedded in context.message - is exposed to an unauthorized actor.
RemediationAI
Upstream fix available (commit/changeset 3524112 at https://plugins.trac.wordpress.org/changeset/3524112/simple-history/trunk/inc/class-wp-rest-events-controller.php); released patched version not independently confirmed beyond the 5.26.0 vulnerable tag, so administrators should update Simple History to the latest available release after 5.26.0 as soon as their plugin repository surfaces it and confirm the patched permission_callback enforces per-logger capability checks. Until the update is applied, the most effective workaround is to disable the experimental features option (simple_history_experimental_features_enabled) since the vulnerable react/unreact endpoints are only reachable when that flag is on; this removes the attack surface at the cost of losing the experimental reaction functionality. Sites that allow open Subscriber registration should additionally consider temporarily disabling new user registration or restricting access to /wp-json/simple-history/* via a WAF rule that requires editor-or-higher capability, accepting the trade-off that legitimate low-privilege REST consumers will be blocked. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/95d2bf1a-0993-4553-a00e-6f555c3f15be?source=cve for ongoing detail.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33455
GHSA-9jh7-hmgx-8gq5