Wishlist Member < 3.31.0 – Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action | CVE 2026-6895 | Plugin Vulnerabilities

Description

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

Affects Plugins

wishlist-member-x

Fixed in 3.31.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5b313e3d-61e0-496e-af3b-155666fae059

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

h0xilo

Verified

No

WPVDB ID

4fe405f8-1ec2-42c4-81f8-6aa0dad44ac2

Timeline

Publicly Published

2026-05-22 (about 15 days ago)

Added

2026-05-22 (about 15 days ago)

Last Updated

2026-06-05 (about 1 day ago)

Other

Published

Title

Published

2025-05-22

Title

Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) Privilege Escalation

Published

2023-06-19

Title

tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation

Published

2025-04-18

Title

UrbanGo Membership < 1.1 - Unauthenticated Privilege Escalation

Published

2025-05-06

Title

Frontend Dashboard 1.0 - 2.2.6 - Unauthenticated Privilege Escalation via fed_wp_ajax_fed_login_form_post Function

Published

2020-03-05

Title

Brizy - Page Builder < 1.0.114 - Unauthenticated Site Settings Update