HarborGuard / CVE
Back to search
HIGHCVE-2026-7459Published Modified CNA Wordfence

CVE-2026-7459: Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Missing authorization on the Simple History WordPress plugin's event reaction REST endpoints (versions up to and including 5.26.0) lets any authenticated Subscriber-level user read arbitrary event context. The flaw is reached over the network with a low-privilege account and no victim interaction; an attacker triggers a password reset for an administrator, brute-forces recent event IDs through /wp-json/simple-history/v1/events/<id>/react with _fields=context, extracts the reset key from the logged password-reset email body, and takes over the administrator account. No fix has been published yet, and HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against WordPress plugin inventories in customer registries and CI pipelines, including custom-built images that bundle Simple History.

Available
Triage

Triage is available with the published CVSS 3.1 score of 7.5 (High) weighted against each customer's compliance policy, so the finding is routed to the correct inbox inside each customer org based on their own severity thresholds and WordPress-exposure posture.

Available
Patch

No upstream fix is published yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment eskapism ships a fixed Simple History release; environments with auto-remediation enabled then receive a rebuilt image, regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the WordPress REST API over the network at /wp-json/simple-history/v1/events/<id>/react.

  • AuthenticationRequired

    Any low-privilege account is sufficient; a Subscriber-level WordPress user can call the vulnerable endpoint.

  • Victim interactionNot required

    No administrator action is needed beyond the attacker driving the lost-password flow themselves.

  • Attack complexityDetail

    Complexity is rated High because the attacker must brute-force recent event IDs and the site admin must have enabled the non-default experimental features option.

Blast Radius

  • Reads the full context of arbitrary Simple History events, including SimpleUserLogger entries that contain password-reset email bodies with live reset URLs and keys.
  • Uses the leaked reset key to complete a password reset and take over an administrator account, yielding full WordPress admin control.
  • With admin access, modifies posts, users, plugins, and site configuration, and can install code that persists beyond the original compromise.
  • Can disrupt site availability by disabling plugins, locking out other administrators, or taking the site offline.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Wordfence advisory for an upstream Simple History release that addresses the missing capability check on react_to_event() and unreact_to_event(). Until a fix ships, compensating-control guidance is surfaced in the finding: disable the experimental features option (simple_history_experimental_features_enabled) so the reaction endpoints are not registered, restrict Subscriber-level self-registration where it is not needed, and consider network-policy or WAF rules that block unauthenticated and low-privilege access to /wp-json/simple-history/v1/events/*/react. The moment a patched plugin version is published, a rebuilt image becomes available on HarborGuard, and customers with auto-remediation enabled get a regression-tested rebuild and a PR opened against affected workloads.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • eskapism / Simple History – Track, Log, and Audit WordPress Changes
    ≤ 5.26.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References