Skip to content
Threat Feed
critical advisory

CVE-2026-6898: Wishlist Member WordPress Plugin Vulnerability Leads to Site Takeover

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check (CVE-2026-6898), allowing authenticated attackers with subscriber-level access or higher to update the REST API Secret Key, create administrator accounts, and achieve complete site takeover.

CVE-2026-6898 affects the Wishlist Member plugin for WordPress, specifically versions up to and including 3.30.1. A missing capability check on the WishListMember3_Hooks::generate_api_key function allows authenticated attackers with at least subscriber-level privileges to modify sensitive data, specifically the REST API Secret Key. By exploiting this vulnerability, an attacker can create a new membership level with administrator privileges and register an arbitrary administrator-level user account, leading to complete control of the WordPress site. This is a critical vulnerability as it allows for a low-privileged user to gain administrative access, bypassing standard authentication and authorization mechanisms.

Attack Chain

  1. Attacker authenticates to the WordPress site with a subscriber-level account or higher.
  2. Attacker sends a request to the WishListMember3_Hooks::generate_api_key function to update the REST API Secret Key due to the missing capability check.
  3. The REST API Secret Key is updated by the attacker.
  4. Attacker leverages the updated REST API Secret Key to create a new membership level.
  5. The attacker configures this new membership level with administrator privileges.
  6. The attacker registers a new user account and assigns it to the newly created membership level with administrator privileges.
  7. Attacker logs in with the newly created administrator account.
  8. Attacker gains complete control over the WordPress site, able to modify content, install plugins, and manage users.

Impact

Successful exploitation of CVE-2026-6898 results in complete site takeover. An attacker can gain administrative access to the WordPress site, enabling them to modify content, inject malicious code, install or remove plugins, and manage user accounts. This can lead to data theft, defacement of the website, or use of the compromised site for malicious purposes, such as hosting phishing pages or malware. The vulnerability impacts any WordPress site using the Wishlist Member plugin version 3.30.1 or earlier.

Recommendation

  • Upgrade the Wishlist Member plugin to the latest version to patch CVE-2026-6898.
  • Deploy the Sigma rule “Detect CVE-2026-6898 Exploitation Attempt - REST API Key Update” to monitor for unauthorized attempts to update the REST API Secret Key in web server logs.
  • Review user roles and permissions to ensure appropriate access controls are in place, and investigate any unexpected administrator accounts.

Detection coverage 2

Detect CVE-2026-6898 Exploitation Attempt - REST API Key Update

high

Detects CVE-2026-6898 exploitation attempt — monitors for requests to update the REST API Secret Key, which could lead to privilege escalation.

sigma tactics: privilege_escalation techniques: T1078 sources: webserver

Detect creation of admin user by rest API

critical

Detects the creation of a user with admin privileges via the REST API, possibly indicating exploitation of CVE-2026-6898

sigma tactics: persistence techniques: T1078 sources: webserver

Detection queries are available on the platform. Get full rules →