CVE-2026-7459: Simple History Plugin Auth Bypass Flaw

CVE-2026-7459 Overview

CVE-2026-7459 affects the Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress in all versions up to and including 5.26.0. The vulnerability allows authenticated users with Subscriber-level access to read the full context of any logged event through the plugin's event reaction REST API endpoints. Because the plugin records the full body of password-reset emails — including the reset URL with the reset key — an attacker can trigger an administrator password reset, harvest the reset key from the log, and complete account takeover. Exploitation requires the experimental features option (simple_history_experimental_features_enabled) to have been enabled by an administrator, which is not the default state.

Critical Impact

A Subscriber-level user can escalate to full administrator on affected WordPress sites by extracting password-reset links from plugin event logs through unauthorized REST API access.

Affected Products

• Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress, versions up to and including 5.26.0
• WordPress installations with the experimental features option enabled
• Sites using SimpleUserLogger to capture authentication events

Discovery Timeline

• 2026-05-30 - CVE-2026-7459 published to NVD
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-7459

Vulnerability Analysis

The vulnerability is a broken access control flaw [CWE-640] in the plugin's WordPress REST API controller. The react_to_event() and unreact_to_event() endpoints register get_items_permissions_check() as their permission_callback. This callback only verifies that the requester is authenticated and does not enforce the per-logger capability checks normally applied by Log_Query.

A Subscriber-level user can issue a POST request to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter. The endpoint returns the full event context for any event ID, regardless of which logger produced it or which capabilities should gate access.

The most impactful disclosed data is SimpleUserLogger entries of type user_requested_password_reset_link. These entries store the verbatim password-reset email body — including the reset URL and reset key — inside the context.message field.

Root Cause

The root cause is an authorization mismatch between the reaction endpoints and the standard event query path. The plugin's main Log_Query enforces per-logger capability checks before returning event context. The reaction endpoints bypass this check by relying solely on is_user_logged_in() semantics inside get_items_permissions_check(), exposing privileged log content to any authenticated role.

Attack Vector

The attacker authenticates as a Subscriber, then submits the lost-password form for an administrator account. This generates a user_requested_password_reset_link event containing the reset URL. The attacker brute-forces recent event IDs against the reaction endpoint with _fields=context, parses context.message to extract the reset key, then visits the legitimate WordPress reset URL to set a new administrator password. No interaction from the targeted administrator is required.

Technical details and the corrective changeset are available in the WordPress Changeset 3524112 and the Wordfence Vulnerability Report.

Detection Methods for CVE-2026-7459

Indicators of Compromise

• POST requests from low-privilege users to /wp-json/simple-history/v1/events/<id>/react or /unreact endpoints.
• Sequential or rapid event ID enumeration against the reaction endpoints by a single authenticated session.
• Requests to the reaction endpoints carrying the _fields=context query parameter.
• Successful password resets for administrator accounts that follow Subscriber-level activity on the reaction endpoints.

Detection Strategies

• Inspect web server and WordPress access logs for POST /wp-json/simple-history/v1/events/ traffic originating from Subscriber, Contributor, or other non-administrative sessions.
• Correlate user_requested_password_reset_link log entries with subsequent successful password resets from a different source IP or user agent.
• Alert on any account that performs reaction endpoint enumeration shortly before a privileged password change.

Monitoring Recommendations

• Continuously monitor REST API traffic to wp-json/simple-history/* and baseline expected callers.
• Track changes to the simple_history_experimental_features_enabled option and alert when it is enabled.
• Watch for administrator role assignments or password changes that follow REST API activity from low-privilege accounts.

How to Mitigate CVE-2026-7459

Immediate Actions Required

• Update the Simple History plugin to the version that includes WordPress Changeset 3524112, which corrects the permission callback.
• Disable the experimental features option by setting simple_history_experimental_features_enabled to false until patched.
• Audit recent password-reset events for administrator accounts and force a password rotation for any account whose reset link may have been logged.
• Review user roles and remove unused Subscriber-level accounts that could be abused for authenticated exploitation.

Patch Information

The vendor corrected the permission callback on the react_to_event() and unreact_to_event() endpoints in WordPress Changeset 3524112. The fix applies the same per-logger capability checks used by Log_Query, preventing low-privilege users from reading event context they are not authorized to view. Refer to the Wordfence Vulnerability Report for the fixed version details.

Workarounds

• Set the WordPress option simple_history_experimental_features_enabled to false to disable the reaction endpoints' exploitable path.
• Restrict access to the /wp-json/simple-history/ REST namespace via a web application firewall rule that blocks non-administrative roles.
• Temporarily restrict new user registration and review existing Subscriber accounts until the patch is applied.

# Disable the experimental features option via WP-CLI
wp option update simple_history_experimental_features_enabled 0

# Verify the current value
wp option get simple_history_experimental_features_enabled

# Update the Simple History plugin to the patched release
wp plugin update simple-history