A low-privilege user with only a basic WordPress account — such as a subscriber or registered site member — can take full control of the site's administrator account without any technical expertise, provided the experimental features setting was ever enabled. A compromised WordPress administrator account gives an attacker the ability to alter site content, install malicious plugins, steal customer data stored or transited through the site, and use the site as an attack platform against visitors. For organizations that run WordPress as a customer-facing or revenue-generating property, this represents a direct risk of data theft, reputational damage, and potential regulatory exposure if personal or financial data is accessible through the site backend.
You Are Affected If
You run Simple History – Track, Log, and Audit WordPress Changes plugin version 5.26.0 or earlier on any WordPress installation
The WordPress option simple_history_experimental_features_enabled is set to enabled (true) on that installation — this is not the default and must have been manually activated
At least one account at Subscriber level or above exists on the site (including any registered user, contributor, author, or editor)
The WordPress REST API (/wp-json/) is accessible to authenticated users — standard on most WordPress deployments
You have not yet updated Simple History to a version above 5.26.0 that addresses this vulnerability
Board Talking Points
A low-privilege user on any WordPress site running the Simple History plugin with experimental features enabled can steal administrator credentials and take full control of the site.
Immediately audit all WordPress properties for this plugin and disable experimental features or update the plugin within 24 hours.
Failure to act leaves website integrity, customer data, and brand reputation exposed to takeover by any registered site user.
