CVE-2026-7459— Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint
Possible ATT&CK Techniques 3AI
T1530 · Data from Cloud Storage T1078 · Valid Accounts T1528 · Steal Application Access TokenAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| eskapism | Simple History – Track, Log, and Audit WordPress Changes | ≤ 5.26.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-7459
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
忘记口令恢复机制弱
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| eskapism | Simple History – Track, Log, and Audit WordPress Changes | 0 ~ 5.26.0 | - |
II. Public POCs for CVE-2026-7459
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-7459
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-7459 (2)
Other References for CVE-2026-7459 (1)
IV. Related Vulnerabilities
Same weakness: CWE-640
- CVE-2026-10169
OUSL-GROUP-BrinaryBrains School Student Management System Fo - CVE-2026-35676
phpMyFAQ - Unauthenticated Password Reset via User Password - CVE-2026-9609
QianFox FoxCMS Admin.php edit password recovery - CVE-2026-9466
Tiandy Easy7 Integrated Management Platform API Endpoint upd - CVE-2026-42606
AzuraCast: Password Reset Poisoning via Untrusted X-Forwarde
V. Comments for CVE-2026-7459
No comments yet