CVE-2025-62970

Vulnerability

Overview The vulnerability is a missing authorization (broken access control) issue in the WordPress plugin Link Whisper Free, affecting versions from n/a through 0.9.2. The plugin fails to properly check user permissions or nonce tokens before executing certain functions, allowing unauthenticated or low-privilege users to perform actions that should require higher privileges [1]. This type of bug is classified as CWE-862 (Missing Authorization).

Attack

Vector and Prerequisites Exploitation requires no special authentication; an attacker can directly access vulnerable endpoints or functions that lack proper access controls. The attack surface is the plugin's administrative or AJAX handlers that do not verify user capabilities. No other prerequisites are needed beyond network access to a WordPress site running a vulnerable version [1].

Impact

An unauthenticated attacker can exploit this to execute privileged actions, such as modifying settings or accessing sensitive data, depending on the missing checks. While the plugin's developer rates the severity as low, such vulnerabilities are known to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Mitigation

The issue has been fixed in version 0.9.3 of Link Whisper Free. Users are strongly advised to update immediately. For Patchstack users, auto-updates can be enabled for vulnerable plugins. No workaround is provided other than updating [1].