NVD HIGH: CVE-2026-6897 — The Wishlist Member plugin for WordPress is vulnerable to unauthorized modificat...

Saturday, May 23, 2026 at 05:16 AM UTC·Source: NIST NVD

Updated: Thursday, May 28, 2026 at 07:00 PM UTC

Executive Summary

Analysis

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. CVSS Score: 8.8. Published: 2026-05-23T05:16:34.407.

Indicators of Compromise (1)

CVE (1)

CVE-2026-6897

NVD MITRE CVE

Source Attribution

Originally published by NIST NVD on May 23, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityNEW

ThinkMarkets launches Ai assistant for CFD trading

ThinkMarkets (www.ThinkMarkets.com) today launches ChelseaAI, a product that connects a live ThinkTrader account directly to an AI assistant.

Just nowFinextra

MEDIUMVulnerabilityNEW

Beyond Assume-Breach: How AI-Native Security Will Reshape Enterprise Defense

Twenty years after Dark Reading launched, we're looking ahead at what's next for enterprise security. Spoiler: It's hyper-segmented, AI-orchestrated, and way more sophisticated than your dad's firewall.

7m agoDark Reading

MEDIUMVulnerabilityNEW

Eventus names Eric Litz as CTo and Sarah-Jane McColl as chief customer officer

Eventus, a leading provider of comprehensive, at-scale trade surveillance and financial risk solutions, today announced the expansion of its leadership team with the appointment of Eric Litz as Chief Technology Officer (CTO) and Sarah-Jane McColl as Chief Customer Officer (CCO).

7m agoFinextra