Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 26 May 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sat, 23 May 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wishlist Member
Wishlist Member wishlist Member Wordpress Wordpress wordpress |
|
| Vendors & Products |
Wishlist Member
Wishlist Member wishlist Member Wordpress Wordpress wordpress |
Sat, 23 May 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | |
| Title | WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action | |
| Weaknesses | CWE-269 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-05-26T13:16:56.571Z
Reserved: 2026-04-23T06:00:50.744Z
Link: CVE-2026-6898
Updated: 2026-05-26T13:16:53.466Z
Status : Deferred
Published: 2026-05-23T05:16:34.523
Modified: 2026-06-17T11:01:29.393
Link: CVE-2026-6898
No data.
OpenCVE Enrichment
Updated: 2026-05-23T07:30:12Z