CVE-2026-7459: Simple History Plugin Account Takeover via Broken Auth
A broken authentication vulnerability has been disclosed in the Simple History WordPress plugin, tracked as CVE-2026-7459 with a CVSS v3.1 score of 7.5 (High). The flaw affects all plugin versions up to and including 5.26.0 and allows an authenticated attacker with as little as Subscriber-level access to take over any WordPress user account on the same site.
The vulnerability resides in the event reaction endpoints — specifically react_to_event() and unreact_to_event() — which fail to correctly validate user permissions before executing account-level operations via the get_items_permissions() check.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-7459 |
| CVSS Score | 7.5 (High) |
| Affected Plugin | Simple History — Track, Log, and Audit WordPress Changes |
| Affected Versions | All versions up to and including 5.26.0 |
| Vulnerable Endpoints | react_to_event() / unreact_to_event() |
| Authentication Required | Yes — Subscriber level or higher |
| Exploitation | Account takeover of any site user |
| Patch Available | Update to 5.26.1 or later |
About Simple History
Simple History is a widely used WordPress audit log plugin that records user activity — logins, edits, plugin changes, and other administrative actions. It is popular among site administrators for compliance and incident response purposes. The plugin's event reaction feature, introduced to allow users to acknowledge or flag logged events, is the component containing this vulnerability.
Technical Details
The flaw exists because the react_to_event() and unreact_to_event() REST API endpoints register permission callbacks via get_items_permissions(), which does not correctly enforce that the authenticated user has sufficient rights to act on other users' accounts. Specifically:
- A Subscriber-level user (the lowest authenticated role in WordPress) can send a crafted REST API request to the event reaction endpoint
- The insufficient permission check allows the request to proceed without verifying that the actor has rights over the target account
- The endpoint's underlying logic can be abused to perform account-level operations on any user, including administrators
This class of vulnerability — where a REST endpoint registers a permissions callback that is either absent, always returns true, or checks only that the user is logged in — is a recurring pattern in WordPress plugin security disclosures.
Attack Preconditions
- The attacker must have a valid WordPress account (Subscriber or higher) on the target site
- The Simple History plugin must be installed and active
- The target site must be running plugin version 5.26.0 or earlier
Exploitation Scenario
1. Attacker registers or obtains a Subscriber-level WordPress account
(e.g., via open user registration, purchased access, or credential theft)
2. Attacker crafts a REST API request to:
POST /wp-json/simple-history/v1/events/{event_id}/react
Authorization: Subscriber session cookie
3. Due to missing permission check in get_items_permissions(),
the request is processed successfully
4. Attacker leverages the account-level operation to take over
a higher-privileged account (Editor, Administrator, etc.)
5. Full site compromise achieved via hijacked admin accountAffected Sites
WordPress sites running Simple History 5.26.0 or earlier with any of the following characteristics face elevated risk:
- Open user registration enabled — attackers can self-register to obtain a Subscriber account
- Multi-author or membership sites — where many users have authenticated access
- E-commerce or community platforms — where Subscriber accounts are routinely granted to customers or members
Remediation
Update the Plugin
The fix is available in Simple History 5.26.1 and later. Update via the WordPress admin dashboard:
- Navigate to Plugins > Installed Plugins
- Locate Simple History and click Update Now
- Confirm the installed version is 5.26.1 or higher
Via WP-CLI:
wp plugin update simple-history
wp plugin get simple-history --field=versionTemporary Mitigations (Pre-Patch)
If immediate patching is not possible:
- Disable the Simple History plugin until the update can be applied
- Restrict user registration to prevent unauthenticated users from obtaining accounts
- Review existing Subscriber-level accounts for unauthorized or suspicious entries
- Enable a WAF with WordPress-specific rules (Wordfence, Cloudflare) to detect anomalous REST API requests
Detection
Monitor for unusual account modification activity in WordPress logs:
# Check for recent user role changes via WP-CLI
wp user list --format=table
# Review WordPress debug log for REST API anomalies
grep "simple-history.*react" /var/log/wordpress/debug.log
# Look for Subscriber accounts accessing admin-level functions
grep "subscriber" /var/log/nginx/access.log | grep "wp-json/simple-history"Unexpected role escalations, password resets not initiated by the affected user, or unusual activity from Subscriber accounts should be investigated as potential exploitation indicators.
Impact Assessment
| Impact Area | Description |
|---|---|
| Account Takeover | Any site user can be targeted, including administrators |
| Site Compromise | Admin takeover leads to full WordPress site control |
| Data Exposure | All site data, user records, and payment info accessible via hijacked admin |
| Privilege Escalation | Subscriber-to-Admin escalation with no additional steps required |
| Exploitation Barrier | Low — requires only a valid Subscriber account |
Key Takeaways
- CVE-2026-7459 is a high-severity broken authentication flaw in Simple History WordPress plugin up to version 5.26.0
- A Subscriber-level account is sufficient to exploit the vulnerability and take over any WordPress user account
- The flaw is in the
react_to_event()/unreact_to_event()REST endpoints due to an inadequateget_items_permissions()check - Immediate action: update Simple History to version 5.26.1 or later; disable the plugin if patching cannot be done immediately
- Sites with open user registration are at highest risk and should prioritize remediation