Search criteria
3 vulnerabilities by eskapism
CVE-2026-7459 (GCVE-0-2026-7459)
Vulnerability from cvelistv5 – Published: 2026-05-30 09:29 – Updated: 2026-06-01 10:33
VLAI
Title
Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint
Summary
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eskapism | Simple History – Track, Log, and Audit WordPress Changes |
Affected:
0 , ≤ 5.26.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T10:32:22.650329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T10:33:32.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple History \u2013 Track, Log, and Audit WordPress Changes",
"vendor": "eskapism",
"versions": [
{
"lessThanOrEqual": "5.26.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ly Hoang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple History \u2013 Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/\u003cid\u003e/react with the _fields=context query parameter and read the full context of any Simple History event \u2014 including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T09:29:00.787Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95d2bf1a-0993-4553-a00e-6f555c3f15be?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L778"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L778"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-event.php#L613"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-event.php#L613"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1215"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1215"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3524112/simple-history/trunk/inc/class-wp-rest-events-controller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-29T18:22:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-29T20:38:32.000Z",
"value": "Disclosed"
}
],
"title": "Simple History \u2013 Track, Log, and Audit WordPress Changes \u003c= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7459",
"datePublished": "2026-05-30T09:29:00.787Z",
"dateReserved": "2026-04-29T18:01:43.775Z",
"dateUpdated": "2026-06-01T10:33:32.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10050 (GCVE-0-2025-10050)
Vulnerability from cvelistv5 – Published: 2025-09-17 01:49 – Updated: 2026-04-08 17:16
VLAI
Title
Developer Loggers for Simple History <= 0.5 - Authenticated (Admin+) Local File Inclusion
Summary
The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eskapism | Developer Loggers for Simple History |
Affected:
0 , ≤ 0.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10050",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:10:22.333533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:10:31.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Developer Loggers for Simple History",
"vendor": "eskapism",
"versions": [
{
"lessThanOrEqual": "0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:16:32.498Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ea3a9e-2a9a-4628-8ea1-e18e756f915f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3361543%40developer-loggers-for-simple-history\u0026new=3361543%40developer-loggers-for-simple-history\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Developer Loggers for Simple History \u003c= 0.5 - Authenticated (Admin+) Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10050",
"datePublished": "2025-09-17T01:49:16.544Z",
"dateReserved": "2025-09-05T18:55:18.588Z",
"dateUpdated": "2026-04-08T17:16:32.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5760 (GCVE-0-2025-5760)
Vulnerability from cvelistv5 – Published: 2025-06-06 11:13 – Updated: 2026-04-08 17:17
VLAI
Title
Simple History <= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode
Summary
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-256 - Plaintext Storage of a Password
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eskapism | Simple History – Track, Log, and Audit WordPress Changes |
Affected:
0 , ≤ 5.8.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T15:41:55.248316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T16:08:09.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple History \u2013 Track, Log, and Audit WordPress Changes",
"vendor": "eskapism",
"versions": [
{
"lessThanOrEqual": "5.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Blair Crawford"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin\u2019s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password\u2010related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third\u2010party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:17:22.668Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6364415-da02-4236-b635-d8fbd27faa33?source=cve"
},
{
"url": "https://simple-history.com/support/detective-mode/"
},
{
"url": "https://wordpress.org/plugins/simple-history/#developers"
},
{
"url": "https://github.com/bonny/WordPress-Simple-History/issues/546"
},
{
"url": "https://github.com/bonny/WordPress-Simple-History/commit/68eab0cab6882eafef4bfece884093eeda5ac018"
},
{
"url": "https://wordpress.org/support/topic/security-vulnerability-passwords-stored-as-plain-text-in-logs/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3267487/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-05T21:58:10.000Z",
"value": "Disclosed"
}
],
"title": "Simple History \u003c= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5760",
"datePublished": "2025-06-06T11:13:16.129Z",
"dateReserved": "2025-06-05T21:55:51.664Z",
"dateUpdated": "2026-04-08T17:17:22.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}