Simple History WordPress Plugin Account Takeover (CVE-2026-7459): Subscriber-Level Access Enables Privilege Escalation

nick

Simple History WordPress Plugin Account Takeover (CVE-2026-7459): Subscriber-Level Access Enables Privilege Escalation

by

A privilege escalation vulnerability in the Simple History WordPress plugin, tracked as CVE-2026-7459, allows authenticated attackers with Subscriber-level access — the lowest WordPress user role — to take over higher-privileged accounts. The vulnerability carries a CVSS score of 7.5 and affects the activity logging plugin used by WordPress sites to maintain audit trails of user and system actions.

What Is the Vulnerability?

CVE-2026-7459 is a weak password recovery mechanism vulnerability that manifests as a permission bypass in Simple History’s REST API event reaction endpoints. The plugin exposes react_to_event() and unreact_to_event() REST API endpoints that allow users to react to logged events. These endpoints register get_items_permissions_check() as their permission callback — a function that only verifies the requester is logged in, without enforcing the per-logger capability checks that the Log_Query class normally applies.

The result is that a Subscriber-level user — who would normally have no access to event reaction functionality or the audit log data — can send crafted REST API requests to the reaction endpoints that trigger actions normally restricted to higher-privilege roles. Through this permission gap, an attacker can manipulate the audit log, interact with events tied to administrative accounts, and ultimately escalate to full account takeover. A Subscriber account, which can be obtained through self-registration on many WordPress sites, becomes a stepping stone to administrative access.

The vulnerability is classified under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password):

  • CVSS v3.1 Score: 7.5 (High)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: Low — Subscriber-level (PR:L)
  • User Interaction: None (UI:N)
  • Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)

Which Versions Are Affected?

The vulnerability affects Simple History versions up to and including 5.26.0:

  • Simple History – Track, Log, and Audit WordPress Changes: all versions up to 5.26.0

The fix was released in version 5.26.1. If your WordPress site is running Simple History version 5.26.0 or earlier, it is vulnerable.

Is It Being Exploited in the Wild?

No active exploitation has been publicly confirmed at the time of writing. However, the vulnerability chain is well-understood: Subscriber access leading to privilege escalation is a common attack pattern in WordPress environments. Sites that allow open user registration — membership sites, forums, e-learning platforms, and community portals — are at elevated risk, as an attacker can self-register a Subscriber account and immediately exploit the vulnerability. The vulnerability was published on May 30, 2026, and WordPress plugin vulnerabilities that enable privilege escalation from the lowest user role are consistently targeted by automated attack tooling.

What Is the Fix?

The Simple History development team has released version 5.26.1 to address CVE-2026-7459. The fix corrects the permission callback on the event reaction endpoints, ensuring proper capability checks are enforced. The official plugin page is available at:

https://wordpress.org/plugins/simple-history/

Administrators should update Simple History to version 5.26.1 or later via the WordPress admin dashboard:

  • Navigate to Plugins > Installed Plugins
  • Locate Simple History
  • Click Update to version 5.26.1 or later
  • Alternatively, update via WP-CLI: wp plugin update simple-history

Recommendations

Update Simple History immediately. The vulnerability allows privilege escalation from WordPress’s lowest user role — Subscriber — to full site control. If your site permits self-registration, treat this as urgent. Even if you do not allow self-registration, any compromised low-privilege account on your site becomes a vector for full compromise.

Audit the Simple History event log. After updating, review the plugin’s audit log for unexpected reaction events — particularly reactions associated with Subscriber-level user accounts targeting events tied to administrative users. Look for patterns where low-privilege accounts interact with events they should not have access to.

Review user activity for anomalies. Check WordPress user activity logs for Subscriber accounts performing actions outside their normal permission scope. Any Subscriber account that has interacted with administrative pages or modified content should be investigated and its credentials rotated.

Limit self-registration where possible. If your WordPress site does not require open user registration, disable it entirely. For sites that need registration, ensure new accounts default to the lowest possible role and monitor new account creation for suspicious patterns.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — May 31, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities as of today, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!