CVE-2026-6895 HIGH

CVE-2026-6895: Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action

Vendor Wishlist Member
Product Wishlist Member
Weakness CWE-269
Published May 23, 2026
Last update May 26, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

Explanation of Vulnerability in Simple Terms

02Summary

Wishlist Member versions up to 3.30.1 contain a privilege management flaw that allows authenticated users with low-level access to gain unauthorized elevated privileges. An attacker with a basic user account can read, modify, or delete sensitive data and disrupt site operations. Update to a version newer than 3.30.1 immediately.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data and disrupt site operations with a low-privilege user account.

Potential impact on your site

04Site Impact

Authenticated users can escalate their privileges to access admin functions, compromise member data, and damage site integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

May 23, 2026 CVE published
May 26, 2026 Record updated

Related vulnerabilities

08Related CVE