WishList Member Privilege Escalation Vulnerability via Missing Authorization in AJAX Action

A privilege escalation vulnerability has been identified in the WishList Member plugin for WordPress, affecting versions through 3.30.1. The issue arises from a missing capability and nonce check in the 'ajax_get_screen()' function, allowing authenticated attackers with Subscriber-level access or higher to manipulate admin screen identifiers. This exploitation causes the plugin to unauthorizedly load and execute administrative API templates, including sensitive information such as the plaintext REST API Secret Key, which is returned in the AJAX JSON response. With this key, an attacker can access the WishList Member API, create new membership levels with administrative privileges, and register users with administrator roles, leading to a complete takeover of the site.

Impact

Exploitation of this vulnerability allows for unauthorized access to the WishList Member API, with the ability to create new membership levels assigned to the administrator role and register users as administrators, resulting in full control over the WordPress site.

Remediation

Users are advised to update the WishList Member plugin to version 3.31.0 or later.