{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1900", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-02-04T14:48:19.268Z", "datePublished": "2026-04-07T06:00:11.155Z", "dateUpdated": "2026-04-07T16:26:15.981Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-07T06:00:11.155Z"}, "title": "Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Link Whisper Free", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "0.9.1"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates."}], "references": [{"url": "https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "yi\u011fit ibrahim sa\u011flam", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:26:01.391370Z", "id": "CVE-2026-1900", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:26:15.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1900", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T16:26:01.391370Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:26:12.751Z"}}], "cna": {"title": "Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "yi\u011fit ibrahim sa\u011flam"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Link Whisper Free", "versions": [{"status": "affected", "version": "0", "lessThan": "0.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-07T06:00:11.155Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1900", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:26:15.981Z", "dateReserved": "2026-02-04T14:48:19.268Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-07T06:00:11.155Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linkwhisper:link_whisper:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "5862AD25-0EE5-4EF5-AD38-999A1BAE2682", "versionEndExcluding": "0.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates."}], "id": "CVE-2026-1900", "lastModified": "2026-04-13T19:52:53.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T07:16:23.803", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.9.1)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 91.0, "source": "matching"}]}, "original": {"product": "Link Whisper Free", "source": "cna", "vendor": "Unknown"}, "product": "link_whisper_free", "vendor": "linkwhisper"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T17:27:10.618188+00:00", "value": {"mitigation_remediation": ["Update the Link Whisper Free plugin to version 0.9.1 or later."], "summary": {"action": "Patch Now", "impact": "Unauthenticated Remote Settings Update"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the free version of the Link Whisper WordPress plugin released before 0.9.1. Users who have not updated to 0.9.1 or later are at risk. No other vendors or products are listed. The affected plugin is part of WordPress sites that have installed the free Link Whisper plugin.", "description_and_impact": "The Link Whisper Free WordPress plugin prior to version 0.9.1 exposes a publicly accessible REST endpoint that permits anyone to submit requests that update the plugin\u2019s settings and user meta without authentication. This flaw allows an attacker to change configuration options, inject arbitrary data, or otherwise alter site behavior, potentially leading to defacement, unauthorized access, or information disclosure. The weakness is classified as CWE\u2011306 (Missing Authentication for Critical Function).", "risk_and_exploitability": "With a CVSS score of 6.5 the flaw is of moderate severity, and its EPSS score is below 1 percent, indicating a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at the time of reporting. Attackers can exploit the flaw by forming HTTP requests against the REST endpoint over the network, regardless of user authentication, thus enabling remote modification of site settings without additional access."}}}}, "created": "2026-04-07T09:36:21.404013+00:00", "updated": "2026-04-15T16:30:09.725888+00:00", "vendors": ["linkwhisper", "linkwhisper$PRODUCT$link_whisper_free", "wordpress", "wordpress$PRODUCT$wordpress"]}