PT-2026-42864 · WordPress · Wishlist Member
H0Xilo
·
Published
2026-05-23
·
Updated
2026-05-23
·
CVE-2026-6895
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WishList Member versions prior to 3.30.2
Description
Missing authorization in the
export settings() function allows for sensitive information disclosure and privilege escalation. The function fails to perform capability checks, enabling an attacker to retrieve the REST API Secret Key via an AJAX JSON response. With this key, an attacker can authenticate to the WishList Member API, create a new membership level with the administrator WordPress role, and register an arbitrary administrator-level user account, leading to a complete site takeover.Recommendations
Update to a version later than 3.30.1.
As a temporary workaround, restrict access to the
export settings() function to minimize the risk of exploitation.Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wishlist Member