CVE-2026-6897 Wishlist Member CVE debrief

Who should care

WordPress site administrators using Wishlist Member plugin; security teams managing WordPress installations; hosting providers offering managed WordPress services; incident response teams handling WordPress compromises

Technical summary

The Wishlist Member plugin for WordPress fails to perform capability checks on the WishListMember Features Team_Accounts::save_settings function. This authorization bypass allows any authenticated user with Subscriber role or higher to invoke the function and modify plugin configuration options. The REST API Secret Key is among the modifiable options; an attacker who updates this key can subsequently use the REST API to create a membership level mapped to the WordPress administrator role and register a new user with that level, achieving full administrative control over the WordPress site. The vulnerability is classified as CWE-269 (Improper Privilege Management) and carries a CVSS 3.1 score of 8.8 (HIGH).

Defensive priority

critical

Recommended defensive actions

• Immediately update Wishlist Member plugin to version 3.30.2 or later if available
• If patching is not immediately possible, restrict Subscriber-level user registrations and audit existing low-privilege accounts
• Review WordPress user roles and capabilities for any unauthorized administrator accounts
• Rotate the Wishlist Member REST API Secret Key if compromise is suspected
• Monitor web server and WordPress audit logs for unauthorized plugin option modifications or unexpected membership level changes
• Consider implementing additional authentication controls or Web Application Firewall rules to restrict access to plugin administrative functions

Evidence notes

Vulnerability disclosed via Wordfence and published to NVD on 2026-05-23. CVSS 3.1 score of 8.8 (HIGH) assigned. CWE-269 (Improper Privilege Management) identified as the root cause.

Official resources