HIGH 7.5

CVE-2026-7459: Simple History WordPress Plugin Account Takeover Vulnerability

A flaw in the Simple History WordPress plugin allows low-privilege users (Subscribers) to take over administrator accounts. The vulnerability exists in how the plugin checks permissions when users react to logged events. Instead of enforcing the proper permission checks, the plugin only verifies that someone is logged in. An attacker with a basic account can read sensitive event details—including password-reset links—that should only be visible to authorized administrators. By combining this with a forced password reset, an attacker can hijack an admin account. Notably, this only affects sites that have enabled the plugin's experimental features option, which is not the default configuration.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-640
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.

12 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7459 is an authenticated privilege escalation and account takeover vulnerability in Simple History up to version 5.26.0. The react_to_event() and unreact_to_event() REST endpoints register get_items_permissions_check() as their permission callback. This callback only confirms the user is logged in via is_user_logged_in(), bypassing the per-logger capability checks that Log_Query normally enforces. A Subscriber-level user can POST to /wp-json/simple-history/v1/events/{id}/react with _fields=context to retrieve full event context. SimpleUserLogger records password-reset email bodies, including the reset token, in event context. An attacker can brute-force recent event IDs, extract the reset key from user_requested_password_reset_link events, and complete a password reset on any administrator account. Exploitation requires simple_history_experimental_features_enabled to be true, which is not the default setting.

Business impact

A successful exploit grants an attacker full administrator access to the WordPress site, enabling site-wide defacement, malware injection, data theft, and business continuity disruption. Because password-reset links contain time-sensitive tokens, the attack window is limited but predictable for an attacker who can monitor or trigger the reset. For multi-administrator environments, the loss of a single admin account is still critical. Organizations using this plugin in production may face regulatory and reputational damage if a compromise occurs. The requirement for experimental features to be enabled reduces—but does not eliminate—the real-world impact, as some power users and developers enable experimental options for testing.

Affected systems

Any WordPress installation running the Simple History – Track, Log, and Audit WordPress Changes plugin at version 5.26.0 or earlier is affected if the simple_history_experimental_features_enabled option has been enabled. The vulnerability requires REST API access and an authenticated attacker account with Subscriber or higher privileges. Sites that have not enabled experimental features are not impacted. No distinction exists among WordPress hosting environments (shared, managed, VPS, dedicated); all are equally vulnerable if both conditions are met.

Exploitability

Exploitation is moderate in difficulty but high in impact. An attacker must first obtain a Subscriber-level account (registration must be enabled, or the attacker must have insider access). The attacker then needs to trigger an administrator password reset and quickly identify the corresponding event in Simple History by brute-forcing event IDs. Password-reset tokens expire, so timing is important but feasible for a motivated attacker. No special tools or zero-day knowledge are required; the attack is straightforward REST API manipulation. The barrier to entry (Subscriber access + experimental features enabled) is lower than for many privilege-escalation flaws, but still requires some setup. This vulnerability is not currently tracked in CISA's KEV catalog.

Remediation

Update Simple History to a patched version once released by the plugin developers (verify against their official advisory). As an immediate temporary measure on affected sites, disable the simple_history_experimental_features_enabled option in the WordPress database or configuration if it is enabled. Audit WordPress user roles and remove unnecessary Subscriber accounts. Consider restricting REST API access via firewall rules or a Web Application Firewall (WAF) to limit external REST requests to trusted IP ranges. Monitor password-reset events and unexpected administrator login sessions for signs of compromise. If an administrator account has been compromised, revoke all sessions, audit database changes, and scan for malware.

Patch guidance

A patch should be available from the Simple History plugin developers. Check the official plugin repository and security advisory for the updated version number and apply it immediately through the WordPress admin dashboard or via command line (wp plugin update simple-history). After patching, verify the update in the Installed Plugins list. On shared hosting, ensure your hosting provider supports timely plugin updates. If automatic updates are enabled, the patch should deploy automatically; verify completion. Do not rely on the experimental features option as a permanent workaround; patching is the correct fix.

Detection guidance

Search your WordPress database for simple_history_experimental_features_enabled option value 'yes' or '1' to identify affected configurations. Enable WordPress access logging and monitor /wp-json/simple-history/v1/events/* POST requests, especially those containing _fields=context parameters from low-privilege user accounts. Log authentication events and flag unexpected administrator password resets followed by new login sessions from unusual IP addresses. Use WordPress security plugins (Wordfence, Sucuri) to alert on brute-force login attempts or unusual REST API activity. Review WordPress user lists for inactive or suspicious Subscriber accounts that may have been created by attackers.

Why prioritize this

This vulnerability warrants immediate attention despite experimental features being non-default. A CVSS score of 7.5 (HIGH) reflects the high impact (full account takeover) and the moderate access requirements. The ease of exploitation once the preconditions are met (REST API + Subscriber account + experimental flag) means this will be an attractive target once publicly disclosed. Organizations should assume exploit code will be developed or released quickly. Remediation is straightforward (patching or disabling experimental features), making this a high-priority candidate for rapid response and communication to affected stakeholders.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects Attack Vector: Network (the REST endpoint is remotely accessible), Attack Complexity: High (password-reset timing and event ID brute-forcing add friction), Privileges Required: Low (Subscriber account needed), User Interaction: None (no social engineering required), and Scope: Unchanged (impact confined to the target WordPress instance). Confidentiality, Integrity, and Availability are all rated High because a compromised administrator account grants full read, modify, and delete access. The score appropriately reflects the real-world risk of administrative account takeover via a chained attack (REST disclosure + password reset), though the non-default experimental features option prevents this from being scored higher.

Frequently asked questions

Do I need to disable experimental features immediately if I am not using them?

Yes. Search your database for simple_history_experimental_features_enabled and verify its status. If it is enabled and you do not actively use experimental features, disable it now as a temporary mitigation while awaiting a patch. Do not treat this as a permanent fix; patching is still required.

How do I tell if my site has been compromised by this vulnerability?

Check WordPress user lists for unexpected new Subscriber accounts created before a known administrator compromise. Review access logs and login history for admin sessions from unfamiliar IP addresses or unusual times. Audit administrator email accounts for password-reset emails from dates that correlate with suspected attacks. If you suspect a compromise, revoke all sessions, change all passwords, and scan for malware before resuming operations.

Can a Subscriber-level user access password-reset tokens for other Subscribers, or only for Administrators?

The vulnerability allows a Subscriber to read SimpleUserLogger events for any user whose password reset was logged, including other users at any privilege level. However, the attack's impact is highest when targeting administrators because those accounts grant the broadest site access. A Subscriber-level reset is still a lateral privilege escalation and should be treated as a security incident.

What should I do if I cannot immediately patch?

Disable simple_history_experimental_features_enabled, audit Subscriber account lists and remove any accounts you did not create, restrict REST API access via firewall rules or WAF, and enable comprehensive logging of password-reset and authentication events. Implement monitoring for unexpected administrator login activity. These steps buy time but do not fully remediate the vulnerability; patching remains the correct long-term solution.

This analysis is provided for informational and defensive security purposes. The information herein is current as of the published date and may be updated as additional details emerge. Exploit code is not provided. Organizations should verify patch availability and version numbers against official vendor advisories before deployment. SEC.co and this analysis do not constitute legal advice, compliance consultation, or a guarantee of protection against this or any vulnerability. Always test patches in a non-production environment first. Responsibility for timely patching and security posture remains with the site owner and administrator. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).