PatchSiren cyber security CVE debrief
CVE-2026-6898 Wishlist Member CVE debrief
CVE-2026-6898 is a HIGH severity (CVSS 8.8) authorization bypass in the Wishlist Member WordPress plugin affecting versions up to and including 3.30.1. The vulnerability stems from a missing capability check on the `WishListMember3_Hooks::generate_api_key` function, allowing authenticated attackers with Subscriber-level access or higher to regenerate the plugin's REST API Secret Key. With control of this key, attackers can create a new membership level assigned the WordPress administrator role and register an arbitrary administrator account, achieving complete site takeover. The issue was published to CVE on 2026-05-23 and last modified on 2026-05-26. No KEV listing or known ransomware campaign use has been identified.
- Vendor
- Wishlist Member
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using Wishlist Member plugin versions ≤3.30.1; security teams managing WordPress estates; hosting providers with shared WordPress environments; compliance officers tracking unauthorized access controls
Technical summary
The Wishlist Member plugin fails to verify user capabilities before executing the `generate_api_key` function. Any authenticated user (Subscriber+) can invoke this function to rotate the REST API Secret Key. The plugin's REST API permits membership level creation with arbitrary WordPress role assignments, including administrator. Attackers chain these weaknesses: (1) regenerate API key, (2) create membership level with admin role, (3) register user under that level. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability. CWE-269 (Improper Privilege Management) is the assigned weakness classification.
Defensive priority
critical
Recommended defensive actions
- Upgrade Wishlist Member plugin to a version newer than 3.30.1 as soon as a patched release is available
- Audit WordPress user accounts for unexpected administrator-level accounts or membership levels with elevated role assignments
- Review REST API access logs for unauthorized membership level creation or user registration events
- Regenerate the Wishlist Member REST API Secret Key if compromise is suspected
- Implement principle of least privilege by removing unnecessary Subscriber accounts and reviewing role capabilities
- Consider Web Application Firewall rules to restrict access to Wishlist Member API endpoints pending patch availability
Evidence notes
Vulnerability description and CVSS vector sourced from NVD record. Wordfence reference provides technical details on the missing capability check and attack chain. Vendor attribution based on reference domain candidate 'Wishlistmember' with low confidence requiring review.
Official resources
2026-05-23