CVE-2026-6895 Wishlist Member CVE debrief

Who should care

WordPress site administrators using WishList Member plugin; security teams managing WordPress installations; membership site operators; WordPress hosting providers

Technical summary

The vulnerability exists in the export_settings function of the WishList Member WordPress plugin (versions ≤3.30.1). Missing capability checks allow unauthenticated or low-privileged attackers to invoke this AJAX endpoint, which returns the REST API Secret Key in its JSON response. With this key, attackers can authenticate to the WishList Member API, create membership levels with administrator privileges, and register arbitrary administrator accounts—achieving complete site compromise. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability.

Defensive priority

critical

Recommended defensive actions

• Upgrade WishList Member plugin to a version newer than 3.30.1
• Review WordPress user accounts for unauthorized administrator-level registrations
• Rotate any exposed WishList Member REST API Secret Keys
• Audit membership levels for unexpected administrator role assignments
• Implement additional access controls on WordPress admin AJAX endpoints
• Review web server and WordPress audit logs for suspicious export_settings AJAX requests

Evidence notes

CVE published 2026-05-23; modified 2026-05-26. CVSS 3.1 score 8.8 (HIGH). CWE-269 (Improper Privilege Management). VulnStatus: Deferred.

Official resources