Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 26 May 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sat, 23 May 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wishlist Member
Wishlist Member wishlist Member Wordpress Wordpress wordpress |
|
| Vendors & Products |
Wishlist Member
Wishlist Member wishlist Member Wordpress Wordpress wordpress |
Sat, 23 May 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | |
| Title | Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action | |
| Weaknesses | CWE-269 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-05-26T14:44:34.124Z
Reserved: 2026-04-23T05:52:48.878Z
Link: CVE-2026-6897
Updated: 2026-05-26T14:44:29.614Z
Status : Deferred
Published: 2026-05-23T05:16:34.407
Modified: 2026-06-17T11:01:29.297
Link: CVE-2026-6897
No data.
OpenCVE Enrichment
Updated: 2026-05-23T07:00:10Z