CVE-2026-6897
published 2026-05-23CVE-2026-6897: The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.24%
15.4th percentile
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wishlist_member | wishlist_member | <= 3.30.1 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wgj9-7jrr-37h9: The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\F
ghsa_unreviewed·2026-05-26
CVE-2026-6897 [HIGH] CWE-269 GHSA-wgj9-7jrr-37h9: The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\F
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
VulDB
Wishlist Member Plugin up to 3.30.1 on WordPress REST API Team_Accounts privileges management (EUVD-2026-31525)
vuldb·2026-05-23
CVE-2026-6897 [CRITICAL] Wishlist Member Plugin up to 3.30.1 on WordPress REST API Team_Accounts privileges management (EUVD-2026-31525)
A vulnerability classified as critical has been found in Wishlist Member Plugin up to 3.30.1 on WordPress. This affects the function Team_Accounts of the component REST API. Performing a manipulation results in improper privilege management.
This vulnerability is identified as CVE-2026-6897. The attack can be initiated remotely. There is not any exploit available.
CVEList
Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action
cvelistv5·2026-05-23·CVSS 8.8
CVE-2026-6897 [HIGH] CWE-269 Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action
Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
Timeline: 2026-05-20: Vendor
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-23
Published