CVE-2026-7459

May 30, 2026, 10:16 a.m.

7.5
High

Description

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Simple History
  • 5.26.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-640
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress simple_history 5.26.0 / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-event.php#L613
https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1215
https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1420
https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1460
https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L778
https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-event.php#L613
https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1215
https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1420
https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1460
https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L778
https://plugins.trac.wordpress.org/changeset/3524112/simple-history/trunk/inc/class-wp-rest-events-controller.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/95d2bf1a-0993-4553-a00e-6f555c3f15be?source=cve

Tags

[email protected]
CWE-640
2026-05-30
CVE-2026-7459

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 30, 2026, 10:16 a.m.
Last Modified: May 30, 2026, 10:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.