Simple History Plugin <= 5.26.0 Authenticated Account Takeover via Missing Authorization (CVE-2026-7459)

Vulnerability Overview Vulnerability Name: Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint CVE ID: CVE-2026-7459 CVSS Score: 7.5 (High) Release Date: May 29, 2026 Last Update Date: May 30, 2026 Researcher: ihking Impact Scope Software Type: Plugin Software Name: Simple History – Track, Log, and Audit WordPress Changes Affected Versions: <= 5.26.0 Fixed Versions: 5.27.0 Remediation Fix Method: Update to version 5.27.0 or a newer patched version. Vulnerability Description The Simple History – Track, Log, and Audit WordPress Changes plugin contains a vulnerability in versions <= 5.26.0 that allows authenticated (Subscriber+) users to take over accounts via the event reaction endpoints ( / ). These endpoints register as the permission callback, which only verifies that the requester is logged in, without enforcing the stricter permissions checks typically applied by . Consequently, Subscriber-level users can POST to the endpoint, using the context query parameter to read the full context of any Simple History event—specifically including the complete body of a password reset email recorded by a entity (containing the URL and reset key). The attacker triggers a password reset via an administrator account, forces the reset of the most recent event ID via the lost password form, reads the resulting event through the reaction endpoint, extracts the reset key from the context message, and completes the password reset to take over the administrator account. Exploitation requires the administrator to first enable the experimental features option ( ), which is not enabled by default. References plugins.trac.wordpress.org Additional Information Software Patch Status: Patched Patch Version: 5.27.0 Related Vulnerabilities Simple History <= 5.24.0 - Unauthenticated Information Exposure - CVE ID: CVE-2026-39473 - CVSS Score: 5.3 - Researcher: timonanguct - Release Date: March 22, 2026 Simple History <= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode - CVE ID: CVE-2025-5760 - CVSS Score: 4.9 - Researcher: Blair Crawford - Release Date: June 5, 2025 Simple History <= 3.3.1 - Authenticated (Subscriber+) CSV Injection - CVE ID: CVE-2022-45350 - CVSS Score: 6.0 - Researcher: ed32.dll - Release Date: February 2, 2023 Simple History Plugin < 2.7.5 - Sensitive Information Disclosure - CVSS Score: 4.3 - Release Date: July 28, 2016 Simple History <= 1.0.7 - Sensitive Information Disclosure - CVSS Score: 5.5 - Release Date: August 1, 2014 Summary This vulnerability allows authenticated (Subscriber+) users to take over accounts via the event reaction endpoint, affecting versions <= 5.26.0 of the Simple History plugin. It is recommended to update to version 5.27.0 or a newer patched version to resolve this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Simple History Plugin <= 5.26.0 Authenticated Account Takeover via Missing Authorization (CVE-2026-7459)

More from this source