{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39473", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:42:07.235Z", "datePublished": "2026-04-08T08:30:08.855Z", "dateUpdated": "2026-04-08T08:30:08.855Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-history", "product": "Simple History", "vendor": "P\u00e4r Thernstr\u00f6m", "versions": [{"changes": [{"at": "5.24.1", "status": "unaffected"}], "lessThanOrEqual": "5.24.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:51.109Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.<p>This issue affects Simple History: from n/a through <= 5.24.0.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:08.855Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-history/vulnerability/wordpress-simple-history-plugin-5-24-0-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Simple History plugin <= 5.24.0 - Sensitive Data Exposure vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0."}], "id": "CVE-2026-39473", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:22.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simple-history/vulnerability/wordpress-simple-history-plugin-5-24-0-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.24.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Simple History", "source": "cna", "vendor": "P\u00e4r Thernstr\u00f6m"}, "product": "simple_history", "vendor": "p\u00e4r_thernstr\u00f6m"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:27:44.672083+00:00", "value": {"mitigation_remediation": ["Update the Simple History plugin to a version newer than 5.24.0.", "If an update is not possible, deactivate or uninstall the plugin to stop data leakage.", "Review stored logs for any exposed sensitive information and purge or encrypt them appropriately.", "Check the plugin author\u2019s website or support channels for additional advisories or security patches."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected component is the WordPress Simple History plugin created by P\u00e4r Thernstr\u00f6m. All releases from the initial version through 5.24.0 are vulnerable, so any WordPress site that has any of those versions installed is at risk.", "description_and_impact": "The Simple History plugin for WordPress allows the insertion of sensitive information into data that is sent to users or external services, enabling the retrieval of embedded sensitive data. This flaw exposes confidential logs and user activity that the plugin records during site auditing. The vulnerability corresponds to CWE\u2011201, which describes information exposure resulting from accidental leaks.", "risk_and_exploitability": "The flaw directly threatens confidentiality by potentially revealing private logs and operative details. Due to the lack of explicit CVSS or EPSS data, the severity is evaluated as high; the attacker can trigger data leakage by exercising a function that outputs the sensitive logs, most likely through an administrator or a user with elevated privileges. Because the exploitation path is local and does not require remote network interaction, it is generally accessible to any privileged user on the affected site, making it a critical concern for any site that logs sensitive activity."}}}}, "created": "2026-04-08T19:30:52.991822+00:00", "updated": "2026-04-08T19:43:21.751833+00:00", "vendors": ["p\u00e4r_thernstr\u00f6m", "p\u00e4r_thernstr\u00f6m$PRODUCT$simple_history", "wordpress", "wordpress$PRODUCT$wordpress"]}