HIGH
eskapism
CVE published 2026-05-30
CVE-2026-7459
An authenticated account-takeover vulnerability exists in the Simple History WordPress plugin (versions ≤ 5.26.0). The plugin's experimental REST API event-reaction endpoints (`react_to_event` / `unreact_to_event`) use `get_items_permissions_check()` as their permission callback, which only confirms the caller is logged in and does not apply the per-logger capability checks enforced by `Log_Query`. A Subs [truncated]