Wishlist Member Missing Authorization Vulnerability Allowing Arbitrary Plugin Options Update and Site Takeover

A vulnerability exists in the Wishlist Member plugin for WordPress, in all versions through 3.30.1, due to a lack of proper capability checks in the 'WishListMember\Features\Team_Accounts::save_settings' function. This flaw enables authenticated attackers with Subscriber-level access or higher to modify arbitrary plugin options. Notably, this includes the REST API Secret Key, which can be exploited to create a new membership level assigned to the administrator role, and to register any user as an administrator, leading to complete control over the site.

Impact

Exploitation of this vulnerability allows for unauthorized modification of plugin settings, including the REST API Secret Key. This could be used to escalate privileges by creating a new membership level with administrative rights or by registering a user with administrative privileges, resulting in full access to the WordPress site.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.