PatchSiren cyber security CVE debrief
CVE-2026-7459 eskapism CVE debrief
An authenticated account-takeover vulnerability exists in the Simple History WordPress plugin (versions ≤ 5.26.0). The plugin's experimental REST API event-reaction endpoints (`react_to_event` / `unreact_to_event`) use `get_items_permissions_check()` as their permission callback, which only confirms the caller is logged in and does not apply the per-logger capability checks enforced by `Log_Query`. A Subscriber-level attacker can POST to `/wp-json/simple-history/v1/events/<id>/react` with `_fields=context` to read the full context of any Simple History event. Because `SimpleUserLogger` records the complete password-reset email body—including the reset URL with key—an attacker can trigger an administrator password reset, brute-force recent event IDs through the reaction endpoint, extract the reset key from `context.message`, and complete the reset to seize the administrator account. Exploitation is contingent on the non-default experimental-features option (`simple_history_experimental_features_enabled`) having been enabled by an administrator. The vulnerability was published on 2026-05-30 and last modified on 2026-06-01. A changeset (3524112) in the WordPress plugin repository indicates a fix was committed to trunk.
- Vendor
- eskapism
- Product
- Simple History – Track, Log, and Audit WordPress Changes
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-06-01
Who should care
WordPress site administrators using the Simple History plugin, especially those who have enabled experimental features; security operations teams monitoring for authenticated privilege-escalation activity; and WordPress hosting providers managing plugin update cadences.
Technical summary
The Simple History plugin registers `react_to_event()` and `unreact_to_event()` REST endpoints with `get_items_permissions_check()` as the `permission_callback`. This callback validates authentication but omits the logger-specific capability checks that `Log_Query` normally enforces. An authenticated Subscriber can therefore retrieve the `context` field of arbitrary events, including `SimpleUserLogger` events that store the full password-reset email body. By triggering an administrator password reset and reading the resulting event context, the attacker obtains the reset key and completes account takeover. The attack requires the non-default `simple_history_experimental_features_enabled` option to be active.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Simple History to a version newer than 5.26.0 (a fix changeset is present in trunk).
- If immediate patching is not possible, disable the experimental features option (`simple_history_experimental_features_enabled`) to prevent exposure of the affected REST endpoints.
- Review Simple History event logs for suspicious `_fields=context` queries to the `/wp-json/simple-history/v1/events/<id>/react` endpoint by low-privilege users.
- Audit administrator accounts for unauthorized password resets or unexpected login activity following the disclosure date.
- Restrict REST API access for untrusted or low-privilege users via additional capability checks or network-level controls if the plugin must remain unpatched.
Evidence notes
The vulnerability description and source references identify the affected endpoints and permission-callback flaw. Source references point to the 5.26.0 tag and trunk versions of `class-event.php` and `class-wp-rest-events-controller.php`, including line-specific locations for the reaction endpoints and permission checks. A changeset reference (3524112) documents the trunk fix. The Wordfence advisory link provides the coordinated disclosure source. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) yields a base score of 7.5 (HIGH). CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) is cited as the weakness classification.
Official resources
2026-05-30T10:16:22.610Z