CVE-2026-6898 HIGH

CVE-2026-6898: WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action

Vendor Wishlist Member
Product Wishlist Member
Weakness CWE-269
Published May 23, 2026
Last update May 26, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

Explanation of Vulnerability in Simple Terms

02Summary

Wishlist Member versions up to 3.30.1 contain a privilege management flaw that allows authenticated users with low-level access to gain unauthorized elevated privileges. An attacker with a basic user account can read, modify, or delete sensitive data and perform administrative actions without proper authorization. This affects all installations running the vulnerable version range.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data and perform admin actions with a low-privilege user account.

Potential impact on your site

04Site Impact

Any registered user can escalate to admin-level access and compromise your entire site.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

May 23, 2026 CVE published
May 26, 2026 Record updated