Security Advisory · Published 2026-05-30

Simple History CVE-2026-7459: how a Subscriber can become admin (and what to check)

CVE-2026-7459 (CVSS 7.5, published May 30, 2026) hits the Simple History — Track, Log, and Audit WordPress Changes plugin (≤ 5.26.0). A logged-in Subscriber can read sensitive event context through REST routes /wp-json/simple-history/v1/events/<id>/react — including full password-reset email bodies with reset links. Chain that with a forced admin password reset and you get administrator takeover. The experimental-features option must be enabled for the worst case, but plenty of shops turn on "try beta features" once and forget.

TL;DR

  • CVE: CVE-2026-7459 · CVSS 7.5 · CWE-640 weak authentication
  • Plugin: Simple History ≤ 5.26.0
  • Minimum role to exploit: Subscriber (lowest paid/lowest tier account)
  • Fix: update plugin; disable experimental features until patched; audit Subscribers

Attack path in plain English

Simple History logs admin actions — including when someone requests a password reset. The REST controllers react_to_event() and unreact_to_event() use get_items_permissions_check() as their permission callback. That callback only checks "is the caller logged in?" — not whether they may read that logger's events. A Subscriber passes the check, then uses the _fields=context query parameter to pull the full event payload.

The killer detail: SimpleUserLogger records the entire password-reset email, reset URL included. Attacker triggers wp-login.php?action=lostpassword for an admin, brute-forces recent event IDs through the REST API, reads the reset key from context.message, and completes the reset. Game over.

Step 1 — Plugin installed?

Search plugins for Simple History. Slug: simple-history.

wp plugin list | grep -i simple-history

Not installed → not affected.

Step 2 — Version and experimental flag

Versions ≤ 5.26.0 are in scope. Update to the latest release immediately.

Check whether experimental features are on:

wp option get simple_history_experimental_features_enabled

If the option returns 1 or true, assume the high-impact path was available until you patch. Turn it off after updating if you do not actively need it.

Step 3 — Subscriber inventory

List every Subscriber — membership sites, WooCommerce "customer" roles mapped to Subscriber, old forum accounts:

wp user list --role=subscriber --fields=ID,user_login,user_email,user_registered --format=table

Delete stale accounts. If you do not need open registration, disable Settings → General → Anyone can register.

Step 4 — REST access log review

grep -E 'simple-history/v1/events/[0-9]+/react' /var/log/nginx/access.log* | tail -50

Look for Subscriber-role IPs (match against your security plugin user sessions) pulling sequential event IDs — that is someone sweeping for reset tokens.

Step 5 — Admin hygiene after patch

  • Force password reset for all administrators.
  • Invalidate other sessions (security plugin or wp user meta session tokens).
  • Confirm no unknown admin accounts in Users → All Users.
  • Review Simple History itself for odd entries in the last 7 days.

When to call for help

If an admin password was reset without your action, treat it as active compromise — recovery guide and our Compromise Check ($99). Prevention-only? Quick Patch Call ($49). Alert signup · @ping7cve.

FAQ — CVE-2026-7459

Can a Subscriber exploit this without experimental mode?
The worst case requires simple_history_experimental_features_enabled; still patch immediately.
Which REST routes are involved?
/wp-json/simple-history/v1/events/<id>/react with _fields=context.
First step after patching?
Force password reset for all administrators and review Subscriber accounts.

References