{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39473", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:42:07.235Z", "datePublished": "2026-04-08T08:30:08.855Z", "dateUpdated": "2026-04-29T09:52:01.820Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-history", "product": "Simple History", "vendor": "P\u00e4r Thernstr\u00f6m", "versions": [{"changes": [{"at": "5.24.1", "status": "unaffected"}], "lessThanOrEqual": "5.24.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:51.109Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.<p>This issue affects Simple History: from n/a through <= 5.24.0.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.820Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-history/vulnerability/wordpress-simple-history-plugin-5-24-0-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Simple History plugin <= 5.24.0 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T16:36:48.717558Z", "id": "CVE-2026-39473", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:38:55.797Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39473", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T16:36:48.717558Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:36:42.010Z"}}], "cna": {"title": "WordPress Simple History plugin <= 5.24.0 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "P\u00e4r Thernstr\u00f6m", "product": "Simple History", "versions": [{"status": "affected", "changes": [{"at": "5.24.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.24.0"}], "packageName": "simple-history", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:51.109Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/simple-history/vulnerability/wordpress-simple-history-plugin-5-24-0-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.<p>This issue affects Simple History: from n/a through <= 5.24.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:08.855Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39473", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:38:55.797Z", "dateReserved": "2026-04-07T10:42:07.235Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:08.855Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in P\u00e4r Thernstr\u00f6m Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0."}], "id": "CVE-2026-39473", "lastModified": "2026-04-24T18:08:35.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:22.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simple-history/vulnerability/wordpress-simple-history-plugin-5-24-0-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.24.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Simple History", "source": "cna", "vendor": "P\u00e4r Thernstr\u00f6m"}, "product": "simple_history", "vendor": "p\u00e4r_thernstr\u00f6m"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T19:10:04.995074+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple History plugin to a version newer than 5.24.0", "Verify that plugin logs are no longer accessible to unauthorized users after the update"], "summary": {"action": "Patch Now", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Simple History plugin developed by P\u00e4r Thernstr\u00f6m for WordPress. All releases up to and including version 5.24.0 are impacted. Sites using these versions are at risk if the plugin logs or data are accessible.", "description_and_impact": "The Simple History plugin for WordPress contains an insertion of sensitive information into sent data. This flaw allows an attacker to retrieve data that was not intended for public exposure, such as administrative or configuration details. The weakness is categorized as CWE\u2011201 (Information Exposure) and can compromise the confidentiality of a site by leaking confidential data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation. The attack vector is inferred to involve access to plugin logs or data records that the plugin exposes; an attacker who can read those logs or an authenticated user with sufficient privileges could potentially exploit the flaw. Although no confirmed exploits have been reported, the combination of moderate severity and low exploitation probability still warrants timely remediation."}}}}, "created": "2026-04-08T19:30:52.991822+00:00", "updated": "2026-04-14T16:40:09.990665+00:00", "vendors": ["p\u00e4r_thernstr\u00f6m", "p\u00e4r_thernstr\u00f6m$PRODUCT$simple_history", "wordpress", "wordpress$PRODUCT$wordpress"]}