CVE-2026-6895

HIGH 8.8

Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

12th

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

CWE	CWE-269
Vendor	wishlist member
Product	wishlist member
Published	May 23, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for wishlist member wishlist member

Be the first to know when new high vulnerabilities affecting wishlist member wishlist member are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Wishlist Member / Wishlist Member

0 ≤ 3.30.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5b313e3d-61e0-496e-af3b-155666fae059?source=cve wishlistmember.com: https://wishlistmember.com/

Credits

Phú