{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/simple-history--track-log-and-audit-wordpress-changes-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7459"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple History – Track, Log, and Audit WordPress Changes plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","account-takeover","privilege-escalation","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7459 affects the Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress, versions up to and including 5.26.0. An authenticated subscriber-level user can exploit the vulnerability to read the full context of Simple History events, including password reset emails, via the event reaction endpoints (react_to_event() / unreact_to_event()). The vulnerability stems from insufficient permission checks in the \u003ccode\u003eget_items_permissions_check()\u003c/code\u003e function, which only verifies the user is logged in, failing to enforce logger-specific capability checks. Successful exploitation allows an attacker to extract password reset keys for other users, including administrators, and ultimately take over their accounts. Note that the experimental features option (simple_history_experimental_features_enabled) must be enabled for the vulnerability to be exploitable; this option is not enabled by default.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker obtains a subscriber-level account on the target WordPress site.\u003c/li\u003e\n\u003cli\u003eThe administrator enables the experimental features option within the Simple History plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the WordPress lost password form and requests a password reset for the administrator account. This triggers a \u003ccode\u003euser_requested_password_reset_link\u003c/code\u003e event in the Simple History log.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/wp-json/simple-history/v1/events/\u0026lt;id\u0026gt;/react\u003c/code\u003e with the \u003ccode\u003e_fields=context\u003c/code\u003e parameter, attempting to brute-force the event ID.\u003c/li\u003e\n\u003cli\u003eIf the correct event ID for the password reset event is found, the server responds with the full event context, including the password reset email body within the \u003ccode\u003econtext.message\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the password reset key from the \u003ccode\u003econtext.message\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted reset key to complete the password reset process for the administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the WordPress site with the compromised administrator credentials, achieving full account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7459 allows an attacker to gain complete control over a WordPress website by compromising an administrator account. This can lead to defacement of the website, installation of malicious plugins or themes, data theft, and further compromise of the underlying server. Since exploitation requires the experimental features option to be enabled, the number of affected sites might be lower than sites with the plugin installed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the Simple History plugin (later than 5.26.0) to remediate CVE-2026-7459.\u003c/li\u003e\n\u003cli\u003eDisable the experimental features option (simple_history_experimental_features_enabled) in the Simple History plugin settings as a temporary mitigation if upgrading is not immediately possible.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Simple History Password Reset Email Access\u003c/code\u003e to your SIEM and tune for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Simple History Event Context Access\u003c/code\u003e to detect unauthorized access to event contexts in Simple History logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T10:16:58Z","date_published":"2026-05-30T10:16:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-simple-history-account-takeover/","summary":"CVE-2026-7459 is an authenticated account takeover vulnerability in the Simple History WordPress plugin where a subscriber-level user can read password reset emails and escalate privileges to an administrator account.","title":"CVE-2026-7459: Simple History WordPress Plugin Account Takeover Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-simple-history-account-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Simple History – Track, Log, and Audit WordPress Changes Plugin","version":"https://jsonfeed.org/version/1.1"}