Description
The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
Published: 2026-04-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Remote Settings Update
Action: Patch Now
AI Analysis

Impact

The Link Whisper Free WordPress plugin prior to version 0.9.1 exposes a publicly accessible REST endpoint that permits anyone to submit requests that update the plugin’s settings and user meta without authentication. This flaw allows an attacker to change configuration options, inject arbitrary data, or otherwise alter site behavior, potentially leading to defacement, unauthorized access, or information disclosure. The weakness is classified as CWE‑306 (Missing Authentication for Critical Function).

Affected Systems

The vulnerability affects the free version of the Link Whisper WordPress plugin released before 0.9.1. Users who have not updated to 0.9.1 or later are at risk. No other vendors or products are listed. The affected plugin is part of WordPress sites that have installed the free Link Whisper plugin.

Risk and Exploitability

With a CVSS score of 6.5 the flaw is of moderate severity, and its EPSS score is below 1 percent, indicating a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at the time of reporting. Attackers can exploit the flaw by forming HTTP requests against the REST endpoint over the network, regardless of user authentication, thus enabling remote modification of site settings without additional access.

Generated by OpenCVE AI on April 14, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Link Whisper Free plugin to version 0.9.1 or later.

Generated by OpenCVE AI on April 14, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 13 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Linkwhisper link Whisper
Weaknesses CWE-306
CPEs cpe:2.3:a:linkwhisper:link_whisper:*:*:*:*:free:wordpress:*:*
Vendors & Products Linkwhisper link Whisper

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Linkwhisper
Linkwhisper link Whisper Free
Wordpress
Wordpress wordpress
Vendors & Products Linkwhisper
Linkwhisper link Whisper Free
Wordpress
Wordpress wordpress

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
Title Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update
References

Subscriptions

Linkwhisper Link Whisper Link Whisper Free
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-07T16:26:15.981Z

Reserved: 2026-02-04T14:48:19.268Z

Link: CVE-2026-1900

cve-icon Vulnrichment

Updated: 2026-04-07T16:26:12.751Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T07:16:23.803

Modified: 2026-04-13T19:52:53.183

Link: CVE-2026-1900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses