CVE-2026-6897: Wishlist Member Plugin Vulnerability Leads to WordPress Site Takeover

The Wishlist Member plugin, a popular WordPress plugin for membership management, is vulnerable to unauthorized data modification. This vulnerability, identified as CVE-2026-6897, resides in the ‘WishListMember\Features\Team_Accounts::save_settings’ function. Versions of the plugin up to and including 3.30.1 are affected. An authenticated attacker with subscriber-level or higher permissions can exploit this flaw. By bypassing capability checks, the attacker can modify arbitrary plugin options, including the REST API Secret Key. This critical oversight enables the attacker to create a new membership level with administrator privileges or register an arbitrary administrator-level user account. Successful exploitation results in complete control and takeover of the WordPress site.

Attack Chain

1. An attacker gains subscriber-level access to a WordPress site running a vulnerable version (<=3.30.1) of the Wishlist Member plugin.
2. The attacker crafts a malicious request to the ‘WishListMember\Features\Team_Accounts::save_settings’ function, bypassing capability checks.
3. The request modifies the plugin’s settings, specifically targeting the REST API Secret Key.
4. Using the modified REST API Secret Key, the attacker authenticates and gains elevated privileges.
5. The attacker creates a new membership level within the plugin and assigns the ‘administrator’ WordPress role to it.
6. Alternatively, the attacker uses the modified REST API Secret Key to directly register a new user account with administrator privileges.
7. The attacker logs in with the newly created administrator account.
8. The attacker gains full control over the WordPress site, allowing them to modify content, install plugins, and manage users.

Impact

Successful exploitation of CVE-2026-6897 leads to complete site takeover. Attackers can modify website content, inject malicious code, steal sensitive data, and compromise user accounts. Given the widespread use of WordPress and the Wishlist Member plugin, a significant number of websites are potentially vulnerable. The impact ranges from defacement and data theft to complete business disruption and reputational damage. A successful attack allows the attacker to persist on the system indefinitely.

Recommendation

• Immediately update the Wishlist Member plugin to the latest version, which contains a patch for CVE-2026-6897.
• Deploy the Sigma rule “Detect Wishlist Member Plugin API Key Modification” to monitor for unauthorized modifications to the REST API Secret Key.
• Deploy the Sigma rule “Detect Wishlist Member Plugin Admin Account Creation” to detect the creation of new administrator accounts via the Wishlist Member plugin.
• Review existing user accounts and remove any unauthorized administrator accounts.
• Monitor WordPress logs for suspicious activity, particularly related to plugin settings modifications and user account creation.