CVE-2026-6898 is a HIGH severity (CVSS 8.8) authorization bypass in the Wishlist Member WordPress plugin affecting versions up to and including 3.30.1. The vulnerability stems from a missing capability check on the `WishListMember3_Hooks::generate_api_key` function, allowing authenticated attackers with Subscriber-level access or higher to regenerate the plugin's REST API Secret Key. With control of this [truncated]
A missing capability check in the Wishlist Member WordPress plugin allows authenticated attackers with Subscriber-level access or higher to modify arbitrary plugin options, including the REST API Secret Key. This can be leveraged to create a new membership level with administrator privileges and register an arbitrary administrator account, resulting in complete site takeover. The vulnerability affects all [truncated]
The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate [truncated]
The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. The vulnerability exists in the ajax_get_screen() function, which lacks proper capability and nonce checks. Authenticated attackers with Subscriber-level access or higher can exploit this by supplying an arbitrary admin screen identifier through the data[url] par [truncated]
