Skip to main content

Link Whisper Premium EUVDEUVD-2026-41352

| CVE-2026-57353 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-2565-6q46-9x5v
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Subscriber-level auth required (PR:L); network-accessible plugin endpoint (AV:N); no confidentiality or availability impact, only unauthorized write/modify actions (I:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:35 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Link Whisper Premium <= 2.9.0 versions.

AnalysisAI

Broken access control in Link Whisper Premium WordPress plugin versions 2.9.0 and below allows subscriber-level authenticated users to perform privileged actions that should be restricted to higher-capability roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to make unauthorized modifications with high integrity impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress subscriber account
Delivery
Authenticate to target site
Exploit
Craft HTTP request to privileged plugin endpoint
Execution
Bypass missing authorization check
Impact
Perform unauthorized content or link modification

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess at least a WordPress subscriber-level account on the target installation, as confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) reflects a realistic threat model: network-accessible (AV:N), low complexity (AC:L), requiring only low-privilege authentication (PR:L), with high integrity impact and no confidentiality or availability impact (C:N/I:H/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a subscriber account on a WordPress site running Link Whisper Premium 2.9.0 or earlier. The attacker sends a crafted authenticated HTTP request to a plugin endpoint that lacks proper capability checks, triggering an unauthorized action - such as modifying internal link configurations or injecting links into posts - without possessing the editor or admin role normally required. …
Remediation Update Link Whisper Premium to a version above 2.9.0; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/link-whisper-premium/vulnerability/wordpress-link-whisper-premium-plugin-2-9-0-broken-access-control-vulnerability?_s_id=cve should be consulted for the exact patched release version, which was not independently confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy