The Simple History – Track, Log, and Audit WordPress Changes plugin allows a logged‑in user with Subscriber privileges or higher to call reaction endpoints that use a generic permissions callback. This callback only verifies that the requester is authenticated and does not enforce the per‑logger capability checks normally applied by the event query system. As a result, a Subscriber can submit POST requests to /wp-json/simple-history/v1/events/<id>/react with a _fields=context parameter and retrieve the full context of any event. The context of a password‑reset event contains the reset URL and its key, enabling an attacker to complete an administrator password reset and seize the account. The exploitation chain requires the administrator to have enabled the experimental features option and a brute‑force of recent event IDs, but the vulnerability is fully exploitable once those conditions are met.

The vulnerability affects the Simple History – Track, Log, and Audit WordPress Changes plugin from eskapism up to and including version 5.26.0. It is active only when the optional experimental features setting (simple_history_experimental_features_enabled) is turned on by the site administrator.

With a CVSS score of 7.5 the vulnerability represents a high‑severity risk. No EPSS data is available and the issue is not listed in CISA KEV, so the real‑world exploitation probability is uncertain but the attack path is straightforward for an authenticated user. The attacker requires no additional software or privilege escalation steps beyond obtaining a Subscriber account, triggering a password reset for an administrator, brute‑forcing recent event IDs, and using the extracted reset key. Because the plugin’s REST endpoints are exposed over HTTP(S), an attacker can carry out these steps remotely with only network access to the site.