Description
Subscriber Broken Access Control in Link Whisper Premium <= 2.9.0 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw that allows users with a subscriber role to perform actions or view data that they should not be authorized to access. This flaw could enable an attacker to read, modify, or execute privileged functions within the WordPress site by leveraging the plugin’s functionality. The weakness is categorized as CWE-862, indicating insufficient authorization checks for certain features.

Affected Systems

The issue exists in the WordPress "Link Whisper Premium" plugin, versions 2.9.0 and earlier, provided by the vendor LinkWhisper. Any WordPress installation that has installed one of those versions is potentially affected.

Risk and Exploitability

The CVSS score of 6.5 classifies this flaw as a medium severity vulnerability. No EPSS score is available, and it is not listed in CISA's KEV catalog, so the current exploitation likelihood may be limited. If an attacker has access to a subscriber account, the attack vector is likely within the compromised WordPress web application, where the plugin’s internal checks are bypassed. The vulnerability can be exploited via the normal user interface without requiring elevated permissions beyond the subscriber role.

Generated by OpenCVE AI on July 2, 2026 at 17:50 UTC.

Remediation

Vendor Solution

Update the WordPress Link Whisper Premium Plugin to the latest available version (at least 2.9.1).


OpenCVE Recommended Actions

  • Upgrade the WordPress Link Whisper Premium plugin to version 2.9.1 or later as the vendor recommends.
  • If an upgrade cannot be performed immediately, temporarily disable the plugin to prevent the vulnerability from being exploitable.
  • Review the capabilities assigned to the subscriber role and restrict them to only the permissions required for that role.

Generated by OpenCVE AI on July 2, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in Link Whisper Premium <= 2.9.0 versions.
Title WordPress Link Whisper Premium plugin <= 2.9.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:43:08.999Z

Reserved: 2026-06-24T12:45:36.888Z

Link: CVE-2026-57353

cve-icon Vulnrichment

Updated: 2026-07-02T12:43:06.341Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T18:00:05Z

Weaknesses