CVE-2026-6895 in Wishlist Member Pluginthông tin

Tóm tắt

Bởi MITRE • 23/05/2026

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

chịu trách nhiệm

Wordfence

Đặt trước

23/04/2026

Tiết lộ

23/05/2026

Kiểm duyệt

được chấp nhận

mục

VDB-365304

CPE

sẵn sàng

CWE

CWE-269 (Đã xác nhận)

CVSS

8.8 (CNA)

EPSS

0.00044

KEV

không

Các hoạt động

rất thấp

ngành

Hostingprovider

Nguồn

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-6895
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-6895
CVE Details	https://www.cvedetails.com/cve/CVE-2026-6895/

◂ Trước Tổng Quan Tiếp theo ▸

Do you know our Splunk app?

Download it now for free!