Simple History <= 5.24.0 - Unauthenticated Information Exposure
Description
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.24.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=5.24.0What Changed in the Fix
Changes introduced in v5.24.1
Source Code
WordPress.org SVN# Exploitation Research Plan: Simple History Unauthenticated Information Exposure (CVE-2026-39473) ## 1. Vulnerability Summary The **Simple History** plugin (up to version 5.24.0) is vulnerable to **Unauthenticated Information Exposure**. The vulnerability exists because the plugin's REST API endpo…
Show full research plan
Exploitation Research Plan: Simple History Unauthenticated Information Exposure (CVE-2026-39473)
1. Vulnerability Summary
The Simple History plugin (up to version 5.24.0) is vulnerable to Unauthenticated Information Exposure. The vulnerability exists because the plugin's REST API endpoint for retrieving activity logs (/wp-json/simple-history/v1/events) fails to implement a proper permission_callback or implements one that incorrectly permits unauthenticated access. This allows any network-level attacker to fetch the entire site activity history, which includes sensitive data like user emails, IP addresses, usernames, and details of configuration changes.
2. Attack Vector Analysis
- Target Endpoint:
/wp-json/simple-history/v1/events - Alternative Endpoint:
/wp-json/simple-history/v1/events/<id>/surrounding(introduced in 5.24.0) - HTTP Method:
GET - Authentication: None (Unauthenticated)
- Preconditions:
- The plugin must be active.
- The REST API must be enabled (default in WordPress).
- Parameters:
per_page: Number of events to retrieve (e.g., 100).page: Page number for pagination.
3. Code Flow
- Request Entry: An unauthenticated request is made to
GET /wp-json/simple-history/v1/events. - REST API Routing: WordPress matches the route to the controller registered by Simple History (likely in
inc/class-sh-rest-api-controller.php, though not in the provided snippets). - Permission Check: The
permission_callbackfor this route returnstrueor fails to check for theedit_pagesormanage_optionscapability. - Data Retrieval: The controller utilizes the
Simple_History\Log_Queryclass (mentioned indropins/class-rss-dropin.php) to fetch event data from the database. - Information Exposure: The
Log_Queryresults are returned as a JSON response, including theinitiator(user details),context(additional event metadata), andmessage.
4. Nonce Acquisition Strategy
This vulnerability is an Unauthenticated Information Exposure in a REST API GET endpoint. In WordPress, GET requests to the REST API typically do not require a _wpnonce if the permission_callback is set to __return_true or is missing entirely, as nonces are primarily used for CSRF protection in state-changing requests or for session authentication.
Since the goal is unauthenticated exploitation:
- No Nonce Required: The primary exploit assumes the endpoint is public.
- Bypass Verification: If the endpoint returns a
401 Unauthorizedor403 Forbiddenwith a message suggesting a missing nonce, it indicates that the endpoint might be restricted but improperly configured. However, the CVSS 5.3 rating and the "Unauthenticated" description strongly suggest that no authentication (and thus no nonce) is needed for the vulnerable version.
5. Exploitation Strategy
The goal is to demonstrate that an unauthenticated user can access the activity log.
Step-by-Step Plan:
- Baseline Check: Confirm the REST API is reachable.
- Targeted Query: Execute an unauthenticated GET request to the events endpoint.
- Data Extraction: Parse the JSON response to verify the presence of sensitive data (usernames, emails).
HTTP Request (using http_request tool):
GET /wp-json/simple-history/v1/events?per_page=50 HTTP/1.1
Host: localhost:8080
Accept: application/json
Payloads:
- Basic log retrieval:
/wp-json/simple-history/v1/events - Pagination to find older data:
/wp-json/simple-history/v1/events?page=2&per_page=100 - Specific event details:
/wp-json/simple-history/v1/events/<id>(if IDs are discovered)
6. Test Data Setup
To confirm the exposure of sensitive data, we must ensure there is sensitive data in the log.
- Create a Victim User:
wp user create victim_user victim@example.com --role=author --user_pass=password123 - Perform Administrative Actions:
wp option update blogname
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.