PT-2026-42865 · WordPress · Wishlist Member

H0Xilo

·

Published

2026-05-23

·

Updated

2026-05-23

·

CVE-2026-6897

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Wishlist Member versions prior to 3.30.2
Description The Wishlist Member plugin for WordPress allows unauthorized modification of data because the save settings() function in WishListMemberFeaturesTeam Accounts lacks a capability check. Authenticated attackers with Subscriber-level access or higher can update arbitrary plugin options, including the REST API Secret Key. This can be leveraged to create a new membership level with the administrator WordPress role and register an administrator-level user account, leading to a complete site takeover.
Recommendations Update to a version newer than 3.30.1. As a temporary workaround, restrict access to the save settings() function to prevent unauthorized users from modifying plugin settings.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6897

Affected Products

Wishlist Member