Impact
The vulnerability is a broken access control flaw that allows users with a subscriber role to perform actions or view data that they should not be authorized to access. This flaw could enable an attacker to read, modify, or execute privileged functions within the WordPress site by leveraging the plugin’s functionality. The weakness is categorized as CWE-862, indicating insufficient authorization checks for certain features.
Affected Systems
The issue exists in the WordPress "Link Whisper Premium" plugin, versions 2.9.0 and earlier, provided by the vendor LinkWhisper. Any WordPress installation that has installed one of those versions is potentially affected.
Risk and Exploitability
The CVSS score of 6.5 classifies this flaw as a medium severity vulnerability. No EPSS score is available, and it is not listed in CISA's KEV catalog, so the current exploitation likelihood may be limited. If an attacker has access to a subscriber account, the attack vector is likely within the compromised WordPress web application, where the plugin’s internal checks are bypassed. The vulnerability can be exploited via the normal user interface without requiring elevated permissions beyond the subscriber role.
OpenCVE Enrichment