Primary

Context

WishList Member Missing Authorization Vulnerability Allows Privilege Escalation and Site Takeover

Vulnerability

Patched

A vulnerability exists in the WishList Member plugin for WordPress, in all versions through 3.30.1, due to a lack of proper capability checks in the 'WishListMember3_Hooks::generate_api_key' function. This flaw enables authenticated attackers with Subscriber-level access or higher to modify the REST API Secret Key. Exploiting this vulnerability could lead to the creation of a new membership level assigned the administrator role, as well as the registration of an arbitrary user with administrator privileges, resulting in complete control over the site.

Impact

Exploitation of this vulnerability allows for unauthorized modification of data, specifically the REST API Secret Key, which can be misused to escalate privileges and take over the site by creating new administrator accounts or roles.

Remediation

Users are advised to update to version 3.31.0 or a newer patched version.

Added: May 26, 2026, 9:26 PM

Updated: May 26, 2026, 9:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

9.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

9.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WishList Member Missing Authorization Vulnerability Allows Privilege Escalation and Site Takeover

Vulnerability

Impact

Remediation

Affected Products

Wishlist Member

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating