What the vulnerability does
01Description
The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
Explanation of Vulnerability in Simple Terms
02Summary
Wishlist Member versions up to 3.30.1 contain a privilege management flaw that allows authenticated users with low-level access to gain unauthorized elevated privileges. An attacker with a basic user account can read, modify, or delete sensitive data and disrupt site operations. Update to a version newer than 3.30.1 immediately.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive data and disrupt site operations with a low-privilege user account.
Potential impact on your site
04Site Impact
Authenticated users can escalate their privileges to access admin functions, compromise member data, and damage site integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the site; no user interaction required.
Key dates
06Disclosure timeline
May 23, 2026
CVE published
May 26, 2026
Record updated