WordPress Plugin Vulnerabilities

Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update

Description

The plugin has a publicly accessible REST endpoint that allows unauthenticated settings updates.

Proof of Concept

Affects Plugins

Plugin icon
link-whisper
Fixed in 0.9.1

References

CVE
CVE-2026-1900

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
yiğit ibrahim sağlam
Submitter
yiğit ibrahim sağlam
Submitter website
https://ibrahimsql.com
Submitter twitter
ibrahimsql
Verified
Yes
WPVDB ID
dc10b627-7981-4c53-bc9d-e87418f3fcfc

Timeline

Publicly Published
2026-03-17 (about 1 month ago)
Added
2026-03-17 (about 1 month ago)
Last Updated
2026-03-17 (about 1 month ago)

Other

Published
Title
Published
2025-12-11
Title
Simple Bike Rental < 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Sensitive Booking Data Exposure
Published
2025-11-07
Title
Ovatheme Events Manager < 1.8.7 - Missing Authorization
Published
2025-12-26
Title
Medical Equipment eCommerce WordPress Theme <= 1.0.9 - Missing Authorization
Published
2025-03-03
Title
Newscrunch < 1.8.4.1 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2024-11-19
Title
PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes < 3.5.16 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure