The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Simple History – Track, Log, and Audit WordPress Changes plugin contains a critical privilege escalation vulnerability in its event reaction endpoints that allows authenticated subscribers to perform actions reserved for higher-privileged users. The vulnerability exists because the react_to_event() and unreact_to_event() endpoints use a generic permission check (get_items_permissions_check()) that only verifies basic authentication status, bypassing the per-logger capability checks that should restrict access. This means any logged-in user, including those with minimal subscriber-level permissions, can manipulate event reactions and potentially access or modify audit logs they shouldn't have permission to view, directly undermining the security posture of WordPress sites relying on this plugin for compliance and forensic logging. Affecting all versions up to 5.26.0, this is particularly dangerous for organizations using Simple History to maintain tamper-evident audit trails.
While this CVE does not map to specific MITRE ATT&CK techniques, Casky's threat detection engine would identify the attack patterns associated with privilege escalation and unauthorized data access through several analytical lenses. Practitioners using Casky would observe findings related to Technique T1548 (Abuse Elevation Control Mechanism) as attackers exploit improper permission validation to escalate their effective privileges within the application. The platform would flag abnormal API activity patterns where low-privileged accounts (subscribers) are performing administrative functions through REST endpoints, combined with detection of unauthorized access to sensitive audit log data. By mapping the endpoint behavior against the 754 security skills in Casky's framework, the system would surface recommendations for input validation hardening, proper capability enforcement on REST endpoints, and continuous monitoring of privilege boundary violations—enabling practitioners to both patch vulnerable code and detect exploitation attempts in real-time.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-7459. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation