PT-2026-42866 · WordPress · Wishlist Member
H0Xilo
·
Published
2026-05-23
·
Updated
2026-05-23
·
CVE-2026-6898
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Wishlist Member versions prior to 3.30.2
Description
The Wishlist Member plugin for WordPress allows unauthorized modification of data because of a missing capability check in the
generate api key() function. Authenticated attackers with Subscriber-level access or higher can update the REST API Secret Key. This allows for the creation of a new membership level assigned the administrator WordPress role and the registration of an arbitrary administrator-level user account, leading to a complete site takeover.Recommendations
Update to a version newer than 3.30.1.
As a temporary workaround, restrict access to the
generate api key() function to prevent unauthorized users from modifying the API Secret Key.Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wishlist Member