CVE-2025-62970

MEDIUM
2025-10-27 [email protected]
WordPress PHP Authentication Bypass
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 5.3

DescriptionNVD

Missing Authorization vulnerability in Spencer Haws Link Whisper Free link-whisper allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Link Whisper Free: from n/a through <= 0.9.2.

AnalysisAI

Link Whisper Free WordPress plugin through version 0.9.2 allows unauthenticated remote attackers to read sensitive information via missing authorization checks on API endpoints. The vulnerability enables bypassing access controls to retrieve data that should be restricted, confirmed with CVSS 5.3 and EPSS 0.03% exploitation probability. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Link Whisper Free is a WordPress plugin that provides link suggestion and internal linking features. The vulnerability stems from CWE-862 (Missing Authorization), a critical access control flaw where the application fails to enforce proper permission checks before allowing sensitive operations. WordPress plugins expose functionality through REST API endpoints and admin actions; this plugin's endpoints do not verify user authentication or role-based permissions before returning data. The root cause is improper implementation of WordPress capability checks (such as current_user_can()) or missing nonce validation on accessible endpoints, allowing any network-connected client to invoke restricted functions.

Affected ProductsAI

Spencer Haws Link Whisper Free WordPress plugin versions from inception through 0.9.2 are affected. The plugin is available via the WordPress plugin repository and distributed under the name Link Whisper Free. Vulnerability was confirmed in version 0.8.8 per the Patchstack reference, with the affected range extending at minimum to version 0.9.2.

RemediationAI

Update Link Whisper Free plugin to the latest patched version immediately; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-8-8-broken-access-control-vulnerability) for the exact remediated version number. If you cannot update immediately, restrict access to the plugin's admin pages by disabling the plugin or using Web Application Firewall rules to block unauthenticated requests to affected endpoints. Verify that your WordPress installation enforces capability checks via current_user_can() and nonce validation on all custom endpoints after patching.

Share

CVE-2025-62970 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy