MEDIUMCVE-2026-1900CVSS 5.3

CVE-2026-1900: WordPress Plugin Unauthorized Access (≤0.9.1)

Platform

wordpress

Component

link-whisper

Fixed in

0.9.1

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026

View on NVD

Save

CVE-2026-1900 affects the Link Whisper Free plugin for WordPress, a tool designed to help build internal links. This vulnerability allows unauthenticated attackers to perform unauthorized actions within the plugin, potentially compromising website functionality or data. The issue is present in all versions of the plugin up to 0.9.1 (exclusive). A patch is available in version 0.9.1, addressing the missing capability check.

Impact and Attack Scenarios

CVE-2026-1900 in the Link Whisper Free plugin for WordPress exposes a critical vulnerability: unauthorized access. A missing capability check within a function allows unauthenticated attackers to perform actions they shouldn't be able to. This could lead to malicious modifications, creation of harmful internal links, or potential data breaches. The severity is high, particularly for sites relying on Link Whisper for internal link management and SEO, as a successful exploit could compromise site integrity and content quality. This vulnerability affects all versions of the plugin prior to 0.9.1.

Exploitation Context

An attacker can exploit this vulnerability by crafting specific HTTP requests targeting the vulnerable function. The lack of authentication requirements means the attacker can send these requests from anywhere without WordPress credentials. The success of the exploit hinges on the function's capabilities. The low barrier to entry means an attacker can bypass standard WordPress access controls and execute actions as an administrator. The difficulty of exploitation is low, requiring minimal technical expertise or prior access to the website.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.03% (10% percentile)

CVSS Vector

Affected Software

Componentlink-whisper

Vendorwordfence

Affected rangeFixed in

0.0.0 – 0.9.00.9.1

0.9.10.9.1

Weakness Classification (CWE)

CWE-862

Timeline

Reserved2026-02-04
Published2026-04-07
Modified2026-04-15
EPSS updated2026-04-14

Mitigation and Workarounds

The recommended mitigation for CVE-2026-1900 is to immediately update Link Whisper Free to version 0.9.1 or later. This update addresses the missing capability check that enables unauthorized access. Prompt action is crucial to protect your website from potential exploitation. Furthermore, review WordPress user permissions to ensure only authorized users have administrative access. Regularly monitoring your website's logs for suspicious activity can also aid in detecting and responding to potential attacks.

How to fix

Update to version 0.9.1, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-1900 in Link Whisper Free?

It's an identifier for a security vulnerability in the Link Whisper Free WordPress plugin.

Am I affected by CVE-2026-1900 in Link Whisper Free?

It allows unauthenticated attackers to perform unauthorized administrative actions.

How do I fix CVE-2026-1900 in Link Whisper Free?

Update Link Whisper Free to version 0.9.1 or later immediately.

Is CVE-2026-1900 being actively exploited?

Review WordPress user permissions and monitor your website logs.

Where can I find the official Link Whisper Free advisory for CVE-2026-1900?

Consult the CVE-2026-1900 details page on vulnerability databases like NIST NVD.