{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wishlist-member-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6898"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Wishlist Member plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","privilege-escalation","credential-access","persistence","initial-access"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-6898 affects the Wishlist Member plugin for WordPress, specifically versions up to and including 3.30.1. A missing capability check on the \u003ccode\u003eWishListMember3_Hooks::generate_api_key\u003c/code\u003e function allows authenticated attackers with at least subscriber-level privileges to modify sensitive data, specifically the REST API Secret Key. By exploiting this vulnerability, an attacker can create a new membership level with administrator privileges and register an arbitrary administrator-level user account, leading to complete control of the WordPress site. This is a critical vulnerability as it allows for a low-privileged user to gain administrative access, bypassing standard authentication and authorization mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the WordPress site with a subscriber-level account or higher.\u003c/li\u003e\n\u003cli\u003eAttacker sends a request to the \u003ccode\u003eWishListMember3_Hooks::generate_api_key\u003c/code\u003e function to update the REST API Secret Key due to the missing capability check.\u003c/li\u003e\n\u003cli\u003eThe REST API Secret Key is updated by the attacker.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the updated REST API Secret Key to create a new membership level.\u003c/li\u003e\n\u003cli\u003eThe attacker configures this new membership level with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new user account and assigns it to the newly created membership level with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker logs in with the newly created administrator account.\u003c/li\u003e\n\u003cli\u003eAttacker gains complete control over the WordPress site, able to modify content, install plugins, and manage users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6898 results in complete site takeover. An attacker can gain administrative access to the WordPress site, enabling them to modify content, inject malicious code, install or remove plugins, and manage user accounts. This can lead to data theft, defacement of the website, or use of the compromised site for malicious purposes, such as hosting phishing pages or malware. The vulnerability impacts any WordPress site using the Wishlist Member plugin version 3.30.1 or earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Wishlist Member plugin to the latest version to patch CVE-2026-6898.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-6898 Exploitation Attempt - REST API Key Update\u0026rdquo; to monitor for unauthorized attempts to update the REST API Secret Key in web server logs.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to ensure appropriate access controls are in place, and investigate any unexpected administrator accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:34:15Z","date_published":"2026-05-26T13:34:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6898-wordpress-takeover/","summary":"The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check (CVE-2026-6898), allowing authenticated attackers with subscriber-level access or higher to update the REST API Secret Key, create administrator accounts, and achieve complete site takeover.","title":"CVE-2026-6898: Wishlist Member WordPress Plugin Vulnerability Leads to Site Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6898-wordpress-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6897"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Wishlist Member plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","privilege-escalation","credential-access","persistence"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Wishlist Member plugin, a popular WordPress plugin for membership management, is vulnerable to unauthorized data modification. This vulnerability, identified as CVE-2026-6897, resides in the \u0026lsquo;WishListMember\\Features\\Team_Accounts::save_settings\u0026rsquo; function. Versions of the plugin up to and including 3.30.1 are affected. An authenticated attacker with subscriber-level or higher permissions can exploit this flaw. By bypassing capability checks, the attacker can modify arbitrary plugin options, including the REST API Secret Key. This critical oversight enables the attacker to create a new membership level with administrator privileges or register an arbitrary administrator-level user account. Successful exploitation results in complete control and takeover of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains subscriber-level access to a WordPress site running a vulnerable version (\u0026lt;=3.30.1) of the Wishlist Member plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u0026lsquo;WishListMember\\Features\\Team_Accounts::save_settings\u0026rsquo; function, bypassing capability checks.\u003c/li\u003e\n\u003cli\u003eThe request modifies the plugin\u0026rsquo;s settings, specifically targeting the REST API Secret Key.\u003c/li\u003e\n\u003cli\u003eUsing the modified REST API Secret Key, the attacker authenticates and gains elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new membership level within the plugin and assigns the \u0026lsquo;administrator\u0026rsquo; WordPress role to it.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses the modified REST API Secret Key to directly register a new user account with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in with the newly created administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the WordPress site, allowing them to modify content, install plugins, and manage users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6897 leads to complete site takeover. Attackers can modify website content, inject malicious code, steal sensitive data, and compromise user accounts. Given the widespread use of WordPress and the Wishlist Member plugin, a significant number of websites are potentially vulnerable. The impact ranges from defacement and data theft to complete business disruption and reputational damage. A successful attack allows the attacker to persist on the system indefinitely.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Wishlist Member plugin to the latest version, which contains a patch for CVE-2026-6897.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Wishlist Member Plugin API Key Modification\u0026rdquo; to monitor for unauthorized modifications to the REST API Secret Key.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Wishlist Member Plugin Admin Account Creation\u0026rdquo; to detect the creation of new administrator accounts via the Wishlist Member plugin.\u003c/li\u003e\n\u003cli\u003eReview existing user accounts and remove any unauthorized administrator accounts.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress logs for suspicious activity, particularly related to plugin settings modifications and user account creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:34:00Z","date_published":"2026-05-26T13:34:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6897-wishlist-member-takeover/","summary":"CVE-2026-6897 is a critical vulnerability in the Wishlist Member plugin for WordPress, allowing authenticated attackers with subscriber-level access to modify plugin settings, including the REST API secret key, ultimately enabling them to create administrator accounts and take over the entire site.","title":"CVE-2026-6897: Wishlist Member Plugin Vulnerability Leads to WordPress Site Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6897-wishlist-member-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6419"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WishList Member plugin"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","wordpress","plugin","CVE-2026-6419"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WishList Member plugin for WordPress, versions up to and including 3.30.1, is vulnerable to a privilege escalation vulnerability (CVE-2026-6419). The vulnerability stems from a missing capability and nonce check in the \u003ccode\u003eajax_get_screen()\u003c/code\u003e function. This flaw allows authenticated attackers with subscriber-level access (or higher) to supply an arbitrary admin screen identifier via the \u003ccode\u003edata[url]\u003c/code\u003e parameter. This leads the plugin to load and execute the administrative API configuration template without proper authorization. A successful exploit allows the attacker to retrieve the plugin\u0026rsquo;s plaintext REST API Secret Key. This key can then be used to authenticate to the WishList Member API and create new membership levels with the administrator WordPress role. Finally, the attacker can register an arbitrary administrator-level user account, resulting in a complete site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into a WordPress site with a valid, low-privileged account (e.g., Subscriber).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003eaction=wishlistmember_get_screen\u003c/code\u003e parameter, triggering the vulnerable \u003ccode\u003eajax_get_screen()\u003c/code\u003e function within the WishList Member plugin.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003edata[url]\u003c/code\u003e parameter containing a crafted string pointing to an administrative screen related to the plugin\u0026rsquo;s API configuration. This bypasses the missing capability and nonce check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eajax_get_screen()\u003c/code\u003e function executes the administrative API configuration template, exposing the plaintext REST API Secret Key in the response.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the REST API Secret Key from the AJAX JSON response.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained REST API Secret Key to authenticate to the WishList Member API and create a new membership level associated with the WordPress administrator role.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker registers a new WordPress user account and assigns it to the newly created administrator-level membership, granting themselves complete control of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6419 allows a low-privileged attacker to gain complete control of the affected WordPress site. This can lead to data breaches, defacement, malware distribution, and denial of service. The vulnerability affects all WordPress sites using the WishList Member plugin versions 3.30.1 and below. The potential number of affected sites is estimated to be in the tens of thousands based on plugin download statistics.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WishList Member plugin to the latest version to patch CVE-2026-6419.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WishList Member API Key Retrieval (CVE-2026-6419)\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring for requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003ewishlistmember_get_screen\u003c/code\u003e action and suspicious \u003ccode\u003edata[url]\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for unusual AJAX requests originating from low-privileged user accounts, and investigate any suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:33:27Z","date_published":"2026-05-26T13:33:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wishlist-member-privesc/","summary":"The WishList Member plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6419) due to a missing capability and nonce check in the ajax_get_screen() function, allowing authenticated attackers with subscriber-level access to retrieve the plugin's REST API Secret Key and create administrator accounts, leading to complete site takeover.","title":"WishList Member Plugin Privilege Escalation via Missing Authorization (CVE-2026-6419)","url":"https://feed.craftedsignal.io/briefs/2026-05-wishlist-member-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — WishList Member Plugin","version":"https://jsonfeed.org/version/1.1"}