CVE-2026-1900
Unauthenticated REST Endpoint Allows Settings Update in Link Whisper Plugin
Publication date: 2026-04-07
Last updated on: 2026-04-13
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkwhisper | link_whisper | to 0.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1900 affects the Link Whisper Free WordPress plugin versions prior to 0.9.1. It involves a publicly accessible REST API endpoint that does not require authentication, specifically the `/wp-json/link-whisper/ai-auth` endpoint.
This vulnerability allows an attacker to send a POST request with parameters like `access_token`, `user_id`, and `uid` to update plugin settings and user meta data without needing to be authenticated.
Successful exploitation results in unauthorized creation or modification of database entries related to user meta and plugin settings, potentially enabling the attacker to control or manipulate user data and plugin behavior.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to modify plugin settings and user meta data without authorization.
Such unauthorized changes could lead to manipulation of user data and plugin behavior, potentially compromising the integrity and security of your WordPress site.
Depending on the nature of the changes, this could result in data corruption, unauthorized access, or other security issues affecting site functionality and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the REST API endpoint `/wp-json/link-whisper/ai-auth` on WordPress sites using the Link Whisper Free plugin prior to version 0.9.1.
A suggested command to test or detect this vulnerability is to send a crafted POST request to the endpoint and observe the response. For example, using curl:
- curl -X POST "https://your-wordpress-site/wp-json/link-whisper/ai-auth" -d "access_token=ai-malicious123" -d "user_id=attacker_controlled" -d "uid=1" -H "Content-Type: application/x-www-form-urlencoded"
If the response is "ok", it indicates the endpoint is accessible without authentication and vulnerable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to update plugin settings and user meta data via a publicly accessible REST endpoint. This unauthorized access and potential manipulation of user data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal data access and integrity.
Specifically, the ability to modify user meta data without authentication may result in unauthorized disclosure, alteration, or misuse of personal information, thereby impacting compliance with standards that mandate confidentiality, integrity, and accountability of sensitive data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in Link Whisper Free versions prior to 0.9.1, you should immediately update the plugin to version 0.9.1 or later where the issue is fixed.
If updating immediately is not possible, restrict access to the REST endpoint `/wp-json/link-whisper/ai-auth` by implementing authentication or firewall rules to prevent unauthenticated POST requests.
Monitor your site for any unauthorized changes to plugin settings or user meta data and review logs for suspicious POST requests to the vulnerable endpoint.