Security Advisory · Published 2026-05-30
Simple History CVE-2026-7459: how a Subscriber can become admin (and what to check)
CVE-2026-7459 (CVSS 7.5, published May 30, 2026) hits
the Simple History — Track, Log, and Audit WordPress Changes plugin
(≤ 5.26.0). A logged-in Subscriber can read sensitive
event context through REST routes
/wp-json/simple-history/v1/events/<id>/react — including full
password-reset email bodies with reset links. Chain that with a forced admin password reset
and you get administrator takeover. The experimental-features option must be enabled for
the worst case, but plenty of shops turn on "try beta features" once and forget.
TL;DR
- CVE: CVE-2026-7459 · CVSS 7.5 · CWE-640 weak authentication
- Plugin: Simple History ≤ 5.26.0
- Minimum role to exploit: Subscriber (lowest paid/lowest tier account)
- Fix: update plugin; disable experimental features until patched; audit Subscribers
Attack path in plain English
Simple History logs admin actions — including when someone requests a password reset. The
REST controllers react_to_event() and unreact_to_event() use
get_items_permissions_check() as their permission callback. That callback only
checks "is the caller logged in?" — not whether they may read that logger's
events. A Subscriber passes the check, then uses the _fields=context query
parameter to pull the full event payload.
The killer detail: SimpleUserLogger records the entire password-reset email,
reset URL included. Attacker triggers wp-login.php?action=lostpassword for an
admin, brute-forces recent event IDs through the REST API, reads the reset key from
context.message, and completes the reset. Game over.
Step 1 — Plugin installed?
Search plugins for Simple History. Slug: simple-history.
wp plugin list | grep -i simple-history Not installed → not affected.
Step 2 — Version and experimental flag
Versions ≤ 5.26.0 are in scope. Update to the latest release immediately.
Check whether experimental features are on:
wp option get simple_history_experimental_features_enabled
If the option returns 1 or true, assume the high-impact path was
available until you patch. Turn it off after updating if you do not actively need it.
Step 3 — Subscriber inventory
List every Subscriber — membership sites, WooCommerce "customer" roles mapped to Subscriber, old forum accounts:
wp user list --role=subscriber --fields=ID,user_login,user_email,user_registered --format=table Delete stale accounts. If you do not need open registration, disable Settings → General → Anyone can register.
Step 4 — REST access log review
grep -E 'simple-history/v1/events/[0-9]+/react' /var/log/nginx/access.log* | tail -50 Look for Subscriber-role IPs (match against your security plugin user sessions) pulling sequential event IDs — that is someone sweeping for reset tokens.
Step 5 — Admin hygiene after patch
- Force password reset for all administrators.
- Invalidate other sessions (security plugin or
wp user metasession tokens). - Confirm no unknown admin accounts in Users → All Users.
- Review Simple History itself for odd entries in the last 7 days.
When to call for help
If an admin password was reset without your action, treat it as active compromise — recovery guide and our Compromise Check ($99). Prevention-only? Quick Patch Call ($49). Alert signup · @ping7cve.
FAQ — CVE-2026-7459
- Can a Subscriber exploit this without experimental mode?
- The worst case requires
simple_history_experimental_features_enabled; still patch immediately. - Which REST routes are involved?
/wp-json/simple-history/v1/events/<id>/reactwith_fields=context.- First step after patching?
- Force password reset for all administrators and review Subscriber accounts.