CVE-2026-6895 Overview
CVE-2026-6895 is a missing authorization vulnerability in the WishList Member plugin for WordPress affecting versions up to and including 3.30.1. The flaw resides in the export_settings function, which fails to perform capability checks before returning the REST API Secret Key in its AJAX JSON response. An authenticated attacker with low privileges can retrieve this key, authenticate to the WishList Member API, create a new membership level bound to the administrator WordPress role, and register an arbitrary administrator account. The result is complete site takeover. The weakness is classified under CWE-269: Improper Privilege Management.
Critical Impact
Authenticated low-privilege users can escalate to full administrator access and take over the WordPress site by exploiting the unprotected export_settings function.
Affected Products
- WishList Member plugin for WordPress, versions up to and including 3.30.1
- WordPress sites running the affected plugin with any low-privilege user role enabled
- Membership sites relying on WishList Member for access control
Discovery Timeline
- 2026-05-23 - CVE-2026-6895 published to the National Vulnerability Database
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-6895
Vulnerability Analysis
The WishList Member plugin exposes an export_settings function intended for administrative configuration export. The function is reachable through an authenticated AJAX endpoint but lacks the required capability checks to restrict access to privileged users. Any authenticated user, including subscribers, can invoke this endpoint and receive the plugin's REST API Secret Key in the JSON response.
Once the attacker possesses the Secret Key, they can authenticate directly to the WishList Member REST API as a trusted integration. The API exposes membership management functions, including creating new membership levels and binding those levels to WordPress roles. By creating a membership level mapped to the administrator role and registering a new user against that level, the attacker provisions an administrator account they fully control.
Root Cause
The root cause is missing authorization enforcement in the export_settings handler. The function does not call current_user_can() or an equivalent capability check before returning sensitive data. Combined with the REST API Secret Key being included in the response payload, this design exposes the strongest authentication material the plugin holds to any authenticated session.
Attack Vector
Exploitation proceeds in three stages. First, the attacker authenticates with any low-privilege WordPress account and sends an AJAX request to the export_settings action. Second, the attacker parses the JSON response and extracts the REST API Secret Key. Third, the attacker calls the WishList Member REST API using the stolen key to create a new membership level tied to the administrator role, then registers a new user under that level. No social engineering or user interaction is required beyond initial low-privilege access.
No verified exploit code is published. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-6895
Indicators of Compromise
- AJAX requests to admin-ajax.php invoking the WishList Member export_settings action from non-administrator sessions.
- Unexpected REST API calls to WishList Member endpoints originating from external IP addresses.
- New membership levels created with the administrator WordPress role binding.
- Newly registered WordPress users holding the administrator role that do not match HR or provisioning records.
Detection Strategies
- Monitor WordPress audit logs for new users assigned to the administrator role outside of approved change windows.
- Alert on creation of WishList Member membership levels mapped to privileged WordPress roles.
- Inspect web server access logs for repeated requests to export_settings followed by REST API traffic from the same client.
Monitoring Recommendations
- Enable WordPress security logging plugins that capture role changes, user creation, and AJAX action invocation.
- Forward WordPress and web server logs to a centralized analytics platform for correlation across authentication, AJAX, and REST API events.
- Review WishList Member REST API Secret Key usage on a recurring basis and rotate the key if exposure is suspected.
How to Mitigate CVE-2026-6895
Immediate Actions Required
- Update the WishList Member plugin to a version later than 3.30.1 once a patched release is published by the vendor.
- Audit all WordPress administrator accounts and remove any unrecognized users.
- Rotate the WishList Member REST API Secret Key after upgrading to invalidate any keys that may have been exfiltrated.
- Review recent membership levels and delete any that bind to the administrator role unexpectedly.
Patch Information
Refer to the WishList Member homepage and the Wordfence Vulnerability Report for the latest patched version information. Apply the vendor-supplied update as soon as it is available.
Workarounds
- Restrict access to wp-admin/admin-ajax.php through a Web Application Firewall rule that blocks the export_settings action for non-administrator sessions.
- Disable open user registration and limit subscriber-tier account creation until the plugin is patched.
- Temporarily deactivate the WishList Member plugin on sites that do not require active membership functionality.
# Example WAF rule concept to block the vulnerable AJAX action
# Deny POST requests to admin-ajax.php where action=export_settings
# unless the requester holds an administrator session cookie
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1026895,msg:'Block WishList Member export_settings abuse'"
SecRule ARGS:action "@streq export_settings" "t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
