PT-2026-42866 · WordPress · Wishlist Member

H0Xilo

·

Published

2026-05-23

·

Updated

2026-05-23

·

CVE-2026-6898

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Wishlist Member versions prior to 3.30.2
Description The Wishlist Member plugin for WordPress allows unauthorized modification of data because of a missing capability check in the generate api key() function. Authenticated attackers with Subscriber-level access or higher can update the REST API Secret Key. This allows for the creation of a new membership level assigned the administrator WordPress role and the registration of an arbitrary administrator-level user account, leading to a complete site takeover.
Recommendations Update to a version newer than 3.30.1. As a temporary workaround, restrict access to the generate api key() function to prevent unauthorized users from modifying the API Secret Key.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6898

Affected Products

Wishlist Member