CVE-2026-6898
published 2026-05-23CVE-2026-6898: The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.24%
15.4th percentile
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wishlist_member | wishlist_member | <= 3.30.1 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pxfc-4432-7mrc: The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_
ghsa_unreviewed·2026-05-26
CVE-2026-6898 [HIGH] CWE-269 GHSA-pxfc-4432-7mrc: The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
CVEList
WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action
cvelistv5·2026-05-23·CVSS 8.8
CVE-2026-6898 [HIGH] CWE-269 WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action
WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
Timeline: 2026-05-20: Vendor Notified; 2026-05-22: Disclosed
VulDB
Wishlist Member Plugin up to 3.30.1 on WordPress REST API generate_api_key privileges management (EUVD-2026-31523)
vuldb·2026-05-23
CVE-2026-6898 [CRITICAL] Wishlist Member Plugin up to 3.30.1 on WordPress REST API generate_api_key privileges management (EUVD-2026-31523)
A vulnerability classified as critical was found in Wishlist Member Plugin up to 3.30.1 on WordPress. This vulnerability affects the function WishListMember3_Hooks::generate_api_key of the component REST API. Executing a manipulation can lead to improper privilege management.
This vulnerability is tracked as CVE-2026-6898. The attack can be launched remotely. No exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-23
Published