CVE-2026-6419 Wishlist Member CVE debrief

Who should care

WordPress site administrators using WishList Member plugin; security teams responsible for WordPress security posture; hosting providers managing WordPress installations; incident responders investigating potential site compromises

Technical summary

The ajax_get_screen() function in WishList Member ≤3.30.1 fails to verify user capabilities or nonces before processing requests. Attackers with minimal authentication (Subscriber+) can manipulate the data[url] parameter to force rendering of administrative templates, specifically the API configuration screen. The response includes the unencrypted REST API Secret Key, which serves as a bearer token for the WishList Member API. This API access enables creation of membership levels with arbitrary WordPress role assignments and subsequent user registration with elevated privileges, achieving unauthenticated administrative access to the WordPress installation.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade WishList Member plugin to a version newer than 3.30.1
• Review WordPress user accounts for unauthorized administrator-level accounts created via membership levels
• Rotate the WishList Member REST API Secret Key if compromise is suspected
• Implement least-privilege access controls and regularly audit user roles
• Consider implementing additional authentication controls for administrative API endpoints
• Monitor for unauthorized access to the WishList Member API using extracted credentials

Evidence notes

The vulnerability description is sourced from the official NVD record, which references Wordfence as the primary source. The CVSS 3.1 score of 8.8 (HIGH) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. The weakness is classified as CWE-269 (Improper Privilege Management).

Official resources