Privilege Escalation in WishList Member Plugin for WordPress
CVE-2026-6419

8.8HIGH

Key Information:

Vendor: WordPress
Status: Wishlist Member
Vendor: CVE Published:; 23 May 2026

What is CVE-2026-6419?

The WishList Member plugin for WordPress is susceptible to a vulnerability that enables privilege escalation due to inadequate authorization checks in the ajax_get_screen() function. This flaw allows authenticated users with Subscriber-level access or higher to manipulate the plugin into loading administrative API configurations without proper credentials. By exploiting this vulnerability, attackers can access sensitive information, including the plaintext REST API Secret Key. With this key, unauthorized users can interact with the WishList Member API to create new high-privilege user accounts, potentially leading to complete control over the site.

Affected Version(s)

Wishlist Member 0 <= 3.30.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wishlistmember.com/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Phú

CVE-2026-6419 Data

JSON