Missing Authorization Vulnerability in WishList Member Plugin for WordPress
CVE-2026-6895

8.8HIGH

Key Information:

Vendor: WordPress
Status: Wishlist Member
Vendor: CVE Published:; 23 May 2026

What is CVE-2026-6895?

The WishList Member plugin for WordPress has a vulnerability that allows attackers to exploit the 'export_settings' AJAX function, which lacks adequate capability checks. This flaw results in sensitive information disclosure, as it exposes the REST API Secret Key within the AJAX JSON response. With access to this key, an attacker is able to authenticate against the WishList Member API, potentially leading to privilege escalation by creating new membership levels tied to the administrator role and registering arbitrary users with administrator-level privileges. This could result in a complete takeover of the affected WordPress site.

Affected Version(s)

Wishlist Member 0 <= 3.30.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wishlistmember.com/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2026
Vulnerability Reserved
Apr 23, 2026

Credit

Phú

CVE-2026-6895 Data

JSON