PT-2026-42864 · WordPress · Wishlist Member

H0Xilo

·

Published

2026-05-23

·

Updated

2026-05-23

·

CVE-2026-6895

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions WishList Member versions prior to 3.30.2
Description Missing authorization in the export settings() function allows for sensitive information disclosure and privilege escalation. The function fails to perform capability checks, enabling an attacker to retrieve the REST API Secret Key via an AJAX JSON response. With this key, an attacker can authenticate to the WishList Member API, create a new membership level with the administrator WordPress role, and register an arbitrary administrator-level user account, leading to a complete site takeover.
Recommendations Update to a version later than 3.30.1. As a temporary workaround, restrict access to the export settings() function to minimize the risk of exploitation.

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6895

Affected Products

Wishlist Member