PT-2026-42865 · WordPress · Wishlist Member
H0Xilo
·
Published
2026-05-23
·
Updated
2026-05-23
·
CVE-2026-6897
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Wishlist Member versions prior to 3.30.2
Description
The Wishlist Member plugin for WordPress allows unauthorized modification of data because the
save settings() function in WishListMemberFeaturesTeam Accounts lacks a capability check. Authenticated attackers with Subscriber-level access or higher can update arbitrary plugin options, including the REST API Secret Key. This can be leveraged to create a new membership level with the administrator WordPress role and register an administrator-level user account, leading to a complete site takeover.Recommendations
Update to a version newer than 3.30.1.
As a temporary workaround, restrict access to the
save settings() function to prevent unauthorized users from modifying plugin settings.Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wishlist Member