CVE-2026-7459
Description
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events//react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Subscriber+ users can read full event context via Simple History reaction endpoints, enabling admin account takeover through password-reset key disclosure.
Vulnerability
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress up to version 5.26.0 includes reaction endpoints (react_to_event() / unreact_to_event()) that use get_items_permissions_check() as their permission callback. This callback only verifies that the requester is logged in and does not enforce per-logger capability checks normally applied by Log_Query. As a result, any authenticated user (Subscriber+) can POST to /wp-json/simple-history/v1/events//react with the _fields=context query parameter and retrieve the full context of any Simple History event. Exploitation requires an administrator to have enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default [1].
Exploitation
An attacker with Subscriber-level access triggers a password reset for an administrator via the standard WordPress lost-password form. They then brute-force recent event IDs by repeatedly POSTing to /wp-json/simple-history/v1/events//react with _fields=context until they locate the user_requested_password_reset_link event. The reset key is extracted from the context.message field of that event, and the attacker uses it to complete the password reset, thereby taking over the administrator account [1].
Impact
Successful exploitation results in full account takeover of an administrator account. The attacker gains administrative privileges over the WordPress site, enabling complete control over the installation, including content, users, and settings [1].
Mitigation
The vulnerability is fixed in Simple History version 5.26.1. Users should update to this version or later immediately. As a workaround, administrators can disable the experimental features option (simple_history_experimental_features_enabled) if it is enabled, which prevents the vulnerable endpoint from being registered. No other workaround is available [1].
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=5.26.0+ 1 more
- (no CPE)range: <=5.26.0
- (no CPE)range: <=5.26.0
Patches
1r3524112Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-event.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-event.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.phpnvd
- plugins.trac.wordpress.org/changeset/3524112/simple-history/trunk/inc/class-wp-rest-events-controller.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/95d2bf1a-0993-4553-a00e-6f555c3f15benvd
News mentions
0No linked articles in our index yet.