Skip to main content

Simple History EUVDEUVD-2026-20140

| CVE-2026-39473 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-08 Patchstack GHSA-v3gq-fh32-rp3x
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:39 vuln.today
CVSS changed
Apr 13, 2026 - 17:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20140
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.

AnalysisAI

Simple History WordPress plugin versions 5.24.0 and earlier expose sensitive information through embedded data in sent communications, allowing remote unauthenticated attackers to retrieve confidential details with low attack complexity. The vulnerability stems from improper handling of sensitive data in network transmissions and affects all installations of the plugin up to the stated version. EPSS score of 0.02% indicates minimal real-world exploitation likelihood despite the information disclosure nature.

Technical ContextAI

Simple History is a WordPress activity logging and audit trail plugin that records user actions, changes, and system events within WordPress installations. The vulnerability (CWE-201: Insertion of Sensitive Information Into Sent Data) occurs when the plugin includes sensitive information-potentially user credentials, API keys, system paths, or other confidential details-in data transmitted over the network without proper sanitization or protection. This class of vulnerability exploits inadequate data handling practices in network communications, where sensitive details leak through HTTP headers, request/response bodies, logs sent to external systems, or other transmission mechanisms. The affected CPE cpe:2.3:a:pär_thernström:simple_history:*:*:*:*:*:*:*:* indicates all versions and variants of the plugin are in scope until patching.

RemediationAI

Update the Simple History plugin to a patched version released after 5.24.0. Site administrators should navigate to the WordPress dashboard, access the Plugins section, and update Simple History to the latest available version from the official repository. If an immediate patch is not yet available from the vendor, temporarily disable the plugin until an update is released to prevent sensitive data exposure through logged activities. Verify the update via Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Plugin/simple-history/) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39473) to confirm patch availability and version numbers before deploying to production.

Share

EUVD-2026-20140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy