Authenticated Account Takeover Vulnerability in Simple History Plugin for WordPress
CVE-2026-7459

7.5HIGH

Key Information:

Vendor: WordPress
Status: Simple History – Track, Log, And Audit WordPress Changes
Vendor: CVE Published:; 30 May 2026

What is CVE-2026-7459?

The Simple History plugin for WordPress is susceptible to an authenticated account takeover due to insufficient permissions on specific event reaction endpoints. This vulnerability allows a Subscriber-level user to exploit the plugin's mechanism to access sensitive event data, including the full context of any Simple History event. Through a series of steps involving password reset requests and brute-force attacks on event IDs, an attacker can retrieve essential information such as admin password reset email content, including the reset URL and key. This flaw is present in all versions up to 5.26.0, particularly affecting installations where experimental features are enabled.

Affected Version(s)

Simple History – Track, Log, and Audit WordPress Changes 0 <= 5.26.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-history...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Ly Hoang

CVE-2026-7459 Data

JSON