https://feed.craftedsignal.io/products/wishlist-member-plugin/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 26 May 2026 13:34:15 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6898-wordpress-takeover/Tue, 26 May 2026 13:34:15 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6898-wordpress-takeover/The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check (CVE-2026-6898), allowing authenticated attackers with subscriber-level access or higher to update the REST API Secret Key, create administrator accounts, and achieve complete site takeover.CVE-2026-6898 affects the Wishlist Member plugin for WordPress, specifically versions up to and including 3.30.1. A missing capability check on the WishListMember3_Hooks::generate_api_key function allows authenticated attackers with at least subscriber-level privileges to modify sensitive data, specifically the REST API Secret Key. By exploiting this vulnerability, an attacker can create a new membership level with administrator privileges and register an arbitrary administrator-level user account, leading to complete control of the WordPress site. This is a critical vulnerability as it allows for a low-privileged user to gain administrative access, bypassing standard authentication and authorization mechanisms.

Attack Chain

1. Attacker authenticates to the WordPress site with a subscriber-level account or higher.
2. Attacker sends a request to the WishListMember3_Hooks::generate_api_key function to update the REST API Secret Key due to the missing capability check.
3. The REST API Secret Key is updated by the attacker.
4. Attacker leverages the updated REST API Secret Key to create a new membership level.
5. The attacker configures this new membership level with administrator privileges.
6. The attacker registers a new user account and assigns it to the newly created membership level with administrator privileges.
7. Attacker logs in with the newly created administrator account.
8. Attacker gains complete control over the WordPress site, able to modify content, install plugins, and manage users.

Impact

Successful exploitation of CVE-2026-6898 results in complete site takeover. An attacker can gain administrative access to the WordPress site, enabling them to modify content, inject malicious code, install or remove plugins, and manage user accounts. This can lead to data theft, defacement of the website, or use of the compromised site for malicious purposes, such as hosting phishing pages or malware. The vulnerability impacts any WordPress site using the Wishlist Member plugin version 3.30.1 or earlier.

Recommendation

• Upgrade the Wishlist Member plugin to the latest version to patch CVE-2026-6898.
• Deploy the Sigma rule “Detect CVE-2026-6898 Exploitation Attempt - REST API Key Update” to monitor for unauthorized attempts to update the REST API Secret Key in web server logs.
• Review user roles and permissions to ensure appropriate access controls are in place, and investigate any unexpected administrator accounts.

]]>criticaladvisorywordpresspluginprivilege-escalationcredential-accesspersistenceinitial-accesshttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6897-wishlist-member-takeover/Tue, 26 May 2026 13:34:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6897-wishlist-member-takeover/CVE-2026-6897 is a critical vulnerability in the Wishlist Member plugin for WordPress, allowing authenticated attackers with subscriber-level access to modify plugin settings, including the REST API secret key, ultimately enabling them to create administrator accounts and take over the entire site.The Wishlist Member plugin, a popular WordPress plugin for membership management, is vulnerable to unauthorized data modification. This vulnerability, identified as CVE-2026-6897, resides in the ‘WishListMember\Features\Team_Accounts::save_settings’ function. Versions of the plugin up to and including 3.30.1 are affected. An authenticated attacker with subscriber-level or higher permissions can exploit this flaw. By bypassing capability checks, the attacker can modify arbitrary plugin options, including the REST API Secret Key. This critical oversight enables the attacker to create a new membership level with administrator privileges or register an arbitrary administrator-level user account. Successful exploitation results in complete control and takeover of the WordPress site.

Attack Chain

1. An attacker gains subscriber-level access to a WordPress site running a vulnerable version (<=3.30.1) of the Wishlist Member plugin.
2. The attacker crafts a malicious request to the ‘WishListMember\Features\Team_Accounts::save_settings’ function, bypassing capability checks.
3. The request modifies the plugin’s settings, specifically targeting the REST API Secret Key.
4. Using the modified REST API Secret Key, the attacker authenticates and gains elevated privileges.
5. The attacker creates a new membership level within the plugin and assigns the ‘administrator’ WordPress role to it.
6. Alternatively, the attacker uses the modified REST API Secret Key to directly register a new user account with administrator privileges.
7. The attacker logs in with the newly created administrator account.
8. The attacker gains full control over the WordPress site, allowing them to modify content, install plugins, and manage users.

Impact

Successful exploitation of CVE-2026-6897 leads to complete site takeover. Attackers can modify website content, inject malicious code, steal sensitive data, and compromise user accounts. Given the widespread use of WordPress and the Wishlist Member plugin, a significant number of websites are potentially vulnerable. The impact ranges from defacement and data theft to complete business disruption and reputational damage. A successful attack allows the attacker to persist on the system indefinitely.

Recommendation

• Immediately update the Wishlist Member plugin to the latest version, which contains a patch for CVE-2026-6897.
• Deploy the Sigma rule “Detect Wishlist Member Plugin API Key Modification” to monitor for unauthorized modifications to the REST API Secret Key.
• Deploy the Sigma rule “Detect Wishlist Member Plugin Admin Account Creation” to detect the creation of new administrator accounts via the Wishlist Member plugin.
• Review existing user accounts and remove any unauthorized administrator accounts.
• Monitor WordPress logs for suspicious activity, particularly related to plugin settings modifications and user account creation.

]]>criticaladvisorywordpresspluginprivilege-escalationcredential-accesspersistencehttps://feed.craftedsignal.io/briefs/2026-05-wishlist-member-privesc/Tue, 26 May 2026 13:33:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wishlist-member-privesc/The WishList Member plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6419) due to a missing capability and nonce check in the ajax_get_screen() function, allowing authenticated attackers with subscriber-level access to retrieve the plugin's REST API Secret Key and create administrator accounts, leading to complete site takeover.The WishList Member plugin for WordPress, versions up to and including 3.30.1, is vulnerable to a privilege escalation vulnerability (CVE-2026-6419). The vulnerability stems from a missing capability and nonce check in the ajax_get_screen() function. This flaw allows authenticated attackers with subscriber-level access (or higher) to supply an arbitrary admin screen identifier via the data[url] parameter. This leads the plugin to load and execute the administrative API configuration template without proper authorization. A successful exploit allows the attacker to retrieve the plugin’s plaintext REST API Secret Key. This key can then be used to authenticate to the WishList Member API and create new membership levels with the administrator WordPress role. Finally, the attacker can register an arbitrary administrator-level user account, resulting in a complete site takeover.

Attack Chain

1. An attacker logs into a WordPress site with a valid, low-privileged account (e.g., Subscriber).
2. The attacker crafts a malicious AJAX request targeting the /wp-admin/admin-ajax.php endpoint.
3. The crafted request includes the action=wishlistmember_get_screen parameter, triggering the vulnerable ajax_get_screen() function within the WishList Member plugin.
4. The request includes a data[url] parameter containing a crafted string pointing to an administrative screen related to the plugin’s API configuration. This bypasses the missing capability and nonce check.
5. The ajax_get_screen() function executes the administrative API configuration template, exposing the plaintext REST API Secret Key in the response.
6. The attacker extracts the REST API Secret Key from the AJAX JSON response.
7. The attacker uses the obtained REST API Secret Key to authenticate to the WishList Member API and create a new membership level associated with the WordPress administrator role.
8. Finally, the attacker registers a new WordPress user account and assigns it to the newly created administrator-level membership, granting themselves complete control of the WordPress site.

Impact

Successful exploitation of CVE-2026-6419 allows a low-privileged attacker to gain complete control of the affected WordPress site. This can lead to data breaches, defacement, malware distribution, and denial of service. The vulnerability affects all WordPress sites using the WishList Member plugin versions 3.30.1 and below. The potential number of affected sites is estimated to be in the tens of thousands based on plugin download statistics.

Recommendation

• Upgrade the WishList Member plugin to the latest version to patch CVE-2026-6419.
• Deploy the Sigma rule “Detect WishList Member API Key Retrieval (CVE-2026-6419)” to detect attempts to exploit this vulnerability by monitoring for requests to /wp-admin/admin-ajax.php with the wishlistmember_get_screen action and suspicious data[url] parameters.
• Monitor WordPress access logs for unusual AJAX requests originating from low-privileged user accounts, and investigate any suspicious activity.

]]>criticalthreatprivilege-escalationwordpresspluginCVE-2026-6419