{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6419/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6419"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WishList Member plugin"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","wordpress","plugin","CVE-2026-6419"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WishList Member plugin for WordPress, versions up to and including 3.30.1, is vulnerable to a privilege escalation vulnerability (CVE-2026-6419). The vulnerability stems from a missing capability and nonce check in the \u003ccode\u003eajax_get_screen()\u003c/code\u003e function. This flaw allows authenticated attackers with subscriber-level access (or higher) to supply an arbitrary admin screen identifier via the \u003ccode\u003edata[url]\u003c/code\u003e parameter. This leads the plugin to load and execute the administrative API configuration template without proper authorization. A successful exploit allows the attacker to retrieve the plugin\u0026rsquo;s plaintext REST API Secret Key. This key can then be used to authenticate to the WishList Member API and create new membership levels with the administrator WordPress role. Finally, the attacker can register an arbitrary administrator-level user account, resulting in a complete site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into a WordPress site with a valid, low-privileged account (e.g., Subscriber).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003eaction=wishlistmember_get_screen\u003c/code\u003e parameter, triggering the vulnerable \u003ccode\u003eajax_get_screen()\u003c/code\u003e function within the WishList Member plugin.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003edata[url]\u003c/code\u003e parameter containing a crafted string pointing to an administrative screen related to the plugin\u0026rsquo;s API configuration. This bypasses the missing capability and nonce check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eajax_get_screen()\u003c/code\u003e function executes the administrative API configuration template, exposing the plaintext REST API Secret Key in the response.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the REST API Secret Key from the AJAX JSON response.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained REST API Secret Key to authenticate to the WishList Member API and create a new membership level associated with the WordPress administrator role.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker registers a new WordPress user account and assigns it to the newly created administrator-level membership, granting themselves complete control of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6419 allows a low-privileged attacker to gain complete control of the affected WordPress site. This can lead to data breaches, defacement, malware distribution, and denial of service. The vulnerability affects all WordPress sites using the WishList Member plugin versions 3.30.1 and below. The potential number of affected sites is estimated to be in the tens of thousands based on plugin download statistics.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WishList Member plugin to the latest version to patch CVE-2026-6419.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WishList Member API Key Retrieval (CVE-2026-6419)\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring for requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003ewishlistmember_get_screen\u003c/code\u003e action and suspicious \u003ccode\u003edata[url]\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for unusual AJAX requests originating from low-privileged user accounts, and investigate any suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:33:27Z","date_published":"2026-05-26T13:33:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wishlist-member-privesc/","summary":"The WishList Member plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6419) due to a missing capability and nonce check in the ajax_get_screen() function, allowing authenticated attackers with subscriber-level access to retrieve the plugin's REST API Secret Key and create administrator accounts, leading to complete site takeover.","title":"WishList Member Plugin Privilege Escalation via Missing Authorization (CVE-2026-6419)","url":"https://feed.craftedsignal.io/briefs/2026-05-wishlist-member-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-6419","version":"https://jsonfeed.org/version/1.1"}