{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wishlist-member-plugin--3.30.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6895"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WishList Member plugin \u003c= 3.30.1"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","privilege-escalation","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WishList Member plugin for WordPress, versions up to and including 3.30.1, contains a missing authorization vulnerability. Specifically, the \u0026rsquo;export_settings\u0026rsquo; function lacks proper capability checks. This flaw allows unauthenticated attackers to retrieve the REST API Secret Key via an AJAX JSON response. Obtaining this key enables the attacker to authenticate to the WishList Member API, which can then be leveraged to escalate privileges and create rogue administrator accounts. The vulnerability poses a significant risk to WordPress sites using the WishList Member plugin, potentially leading to complete site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a request to the WordPress server to trigger the \u0026rsquo;export_settings\u0026rsquo; function in the WishList Member plugin via AJAX.\u003c/li\u003e\n\u003cli\u003eDue to missing authorization checks, the \u0026rsquo;export_settings\u0026rsquo; function executes and returns the REST API Secret Key in the AJAX JSON response.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the REST API Secret Key from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the REST API Secret Key to authenticate to the WishList Member API.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the authenticated WishList Member API to create a new membership level.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the administrator WordPress role to the newly created membership level.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new user account and assigns it to the membership level created in the prior steps.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress site using the newly created administrator-level user account, achieving complete site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-6895) allows an attacker to completely compromise a WordPress website. Attackers can create new administrative accounts, modify site content, install malicious plugins, and potentially gain access to sensitive data stored on the server. This can lead to significant reputational damage, financial loss, and potential legal consequences for the website owner.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WishList Member plugin to the latest version to patch CVE-2026-6895.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003eexport_settings\u003c/code\u003e function in the WishList Member plugin using the Sigma rule \u003ccode\u003eDetect WishList Member export_settings Request\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview existing WordPress user accounts and membership levels for any unauthorized or suspicious entries after patching, and investigate potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:33:44Z","date_published":"2026-05-26T13:33:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wishlist-auth-bypass/","summary":"The WishList Member plugin for WordPress is vulnerable to Missing Authorization, allowing attackers to obtain the REST API Secret Key and escalate privileges to administrator.","title":"WishList Member WordPress Plugin Missing Authorization Leads to Privilege Escalation (CVE-2026-6895)","url":"https://feed.craftedsignal.io/briefs/2026-05-wishlist-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — WishList Member Plugin \u003c= 3.30.1","version":"https://jsonfeed.org/version/1.1"}