CVE-2026-6895

HIGH

Wishlist Member < 3.30.1 - Privilege Escalation

Title source: rule

Description

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

References (2)

Core 2

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/5b313e3d-61e0-496e-af3b-155666fae059?source=cve

https://wishlistmember.com/

Scores

CVSS v3 8.8

EPSS 0.0035

EPSS Percentile 26.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (1)

Wishlist Member/Wishlist Member < 3.30.1

Published May 23, 2026

Tracked Since May 23, 2026