CVE-2026-1900 PUBLISHED

Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update

Assigner: WPScan
Reserved: 04.02.2026 Published: 07.04.2026 Updated: 07.04.2026

The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.

Product Status

Vendor Unknown
Product Link Whisper Free
Versions Default: unaffected
  • affected from 0 to 0.9.1 (excl.)

Credits

  • yiğit ibrahim sağlam finder
  • WPScan coordinator

References

Problem Types

  • CWE-862 Missing Authorization CWE