Executive Summary

CVE-2026-1900 affects the Link Whisper Free WordPress plugin versions prior to 0.9.1. It involves a publicly accessible REST API endpoint that does not require authentication, specifically the `/wp-json/link-whisper/ai-auth` endpoint.

This vulnerability allows an attacker to send a POST request with parameters like `access_token`, `user_id`, and `uid` to update plugin settings and user meta data without needing to be authenticated.

Successful exploitation results in unauthorized creation or modification of database entries related to user meta and plugin settings, potentially enabling the attacker to control or manipulate user data and plugin behavior.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to modify plugin settings and user meta data without authorization.

Such unauthorized changes could lead to manipulation of user data and plugin behavior, potentially compromising the integrity and security of your WordPress site.

Depending on the nature of the changes, this could result in data corruption, unauthorized access, or other security issues affecting site functionality and user trust.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the REST API endpoint `/wp-json/link-whisper/ai-auth` on WordPress sites using the Link Whisper Free plugin prior to version 0.9.1.

A suggested command to test or detect this vulnerability is to send a crafted POST request to the endpoint and observe the response. For example, using curl:

• curl -X POST "https://your-wordpress-site/wp-json/link-whisper/ai-auth" -d "access_token=ai-malicious123" -d "user_id=attacker_controlled" -d "uid=1" -H "Content-Type: application/x-www-form-urlencoded"

If the response is "ok", it indicates the endpoint is accessible without authentication and vulnerable.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to update plugin settings and user meta data via a publicly accessible REST endpoint. This unauthorized access and potential manipulation of user data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal data access and integrity.

Specifically, the ability to modify user meta data without authentication may result in unauthorized disclosure, alteration, or misuse of personal information, thereby impacting compliance with standards that mandate confidentiality, integrity, and accountability of sensitive data.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the vulnerability in Link Whisper Free versions prior to 0.9.1, you should immediately update the plugin to version 0.9.1 or later where the issue is fixed.

If updating immediately is not possible, restrict access to the REST endpoint `/wp-json/link-whisper/ai-auth` by implementing authentication or firewall rules to prevent unauthenticated POST requests.

Monitor your site for any unauthorized changes to plugin settings or user meta data and review logs for suspicious POST requests to the vulnerable endpoint.

Useful 0 Not Useful 0