← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-6419 · CWE-269 · Disclosed 2026-05-23

The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in…

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a spare key hidden in the customer lobby, not a deadbolt that opens from the street

CVE-2026-6419 affects the WishList Member WordPress plugin in versions up to and including 3.30.1; authoritative third-party advisories list 3.31.0 as patched. The flaw sits in the ajax_get_screen() path behind wp-admin/admin-ajax.php: a logged-in Subscriber+ user can supply an arbitrary data[url] value, make the plugin render an administrative API configuration screen, and receive HTML containing the plugin's plaintext REST API secret key. With that key, the attacker can use the WishList Member API to create an admin-mapped membership level and then register an arbitrary administrator account.

paragraphs

"Full site takeover is real, but the need for a live subscriber session keeps this below top-tier internet emergency."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Obtain a subscriber session

The attacker first needs a valid WordPress account with at least the Subscriber role. On many membership sites that is not a breach-level prerequisite; it can be a normal customer sign-up, a cheap purchased account, or a credential-stuffed reused password. Tooling is basic here: curl, Burp Suite, or WP-focused login automation is enough.
Conditions required:
  • WishList Member is installed and active
  • Attacker can authenticate as Subscriber or higher
  • The target site exposes normal WordPress login or registration paths
Where this breaks in practice:
  • Some sites disable public registration or require paid enrollment
  • MFA, CAPTCHA, rate limiting, and SSO make account acquisition materially harder
  • This is not unauthenticated internet spray-and-pray exploitation
Detection/coverage: Login telemetry, failed-password bursts, impossible-travel patterns, and new low-privilege account creation are the best early signals. External scanners usually cannot validate this step without credentials.
STEP 02

Call wlm3_get_screen to leak the API key

Using the authenticated session, the attacker POSTs to /wp-admin/admin-ajax.php with action=wlm3_get_screen and a crafted data[url] value that loads the API settings view. The vulnerable handler lacks the authorization and nonce checks that should fence this admin-only screen, so the JSON response includes rendered HTML containing the WishList Member REST API secret key. Public writeups and PoC material already describe this flow and even share WAF signatures for it.
Conditions required:
  • Plugin version is <= 3.30.1
  • Authenticated session cookie is valid
  • The vulnerable AJAX action is reachable
Where this breaks in practice:
  • A WAF tuned for WordPress AJAX abuse can block or flag the specific action/value pair
  • Hardened sites may restrict /wp-admin/admin-ajax.php behavior or monitor abnormal low-privilege AJAX actions
  • Attackers still need to know the right screen identifier
Detection/coverage: Look for POSTs to /wp-admin/admin-ajax.php with action=wlm3_get_screen, especially from Subscriber accounts. Version scanners can identify the vulnerable plugin, but host or app logs are better for detecting actual exploitation attempts.
STEP 03

Abuse the leaked secret against the WishList Member API

Once the REST API secret key is exposed, the attacker switches from the web UI to the WishList Member API. Public PoC logic shows the next move: authenticate to the API, create a membership level mapped to the WordPress administrator role, and prepare the environment for account creation. This is the amplifier step that turns an info leak into deterministic privilege escalation.
Conditions required:
  • Secret key was successfully extracted
  • WishList Member API endpoints are enabled and reachable
  • API actions for membership-level creation are accepted with the leaked key
Where this breaks in practice:
  • If the API is disabled, filtered, or heavily customized, the chain can break
  • Defenders rotating the API key after suspicious activity can cut the attacker off
  • Some implementations may have additional business-logic constraints
Detection/coverage: Monitor API calls to /wp-json/wlm3/ from unusual clients, newly used bearer credentials, or abrupt membership-level changes. Traditional network scanners will miss this because the secret is needed first.
STEP 04

Create an administrator and take over the site

The attacker completes the chain by registering a new administrator-level user through the API or by otherwise assigning admin-equivalent rights via the newly created membership level. From there, WordPress compromise is routine: install a plugin, add a web shell, change payment flows, scrape member data, or pivot into whatever sits behind that CMS. At that point this is full application takeover, not a narrow role abuse.
Conditions required:
  • Prior API abuse succeeded
  • WordPress admin-capable role assignment is possible through the API workflow
Where this breaks in practice:
  • SOC review of new admin creation can contain the incident fast
  • Least-privilege hosting or immutable deployments can reduce post-takeover persistence options
  • Some sites closely review plugin/theme installation or file changes
Detection/coverage: Alert on new administrator accounts, membership levels mapped to administrator, unexpected plugin installs, and changes to WordPress options. EDR only helps after the attacker reaches host-level persistence.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation found in the sources reviewed; no CISA KEV listing and no vendor/primary-source incident bulletin observed.
Proof-of-concept availabilityPublic exploit logic exists. Atomic Edge published a metadata-based PoC and a matching ModSecurity rule for the wlm3_get_screen AJAX path.
EPSS0.00044 from the prompt, which is extremely low and argues against broad opportunistic exploitation right now. Percentile was not supplied in the prompt and I did not independently confirm it from FIRST data.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities catalog as of the sources reviewed.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — the vendor score correctly captures easy exploitation once logged in and full-site impact, but it underweights the real-world friction of needing an authenticated low-privilege account first.
Affected versionsWishList Member <= 3.30.1.
Fixed version3.31.0 is listed by Patchstack as the patched release. I did not find distro backport packaging guidance because this is a WordPress plugin, not an OS package.
Exposure / scanning realityInternet-scale census is weak. This flaw hides behind authenticated admin-ajax.php traffic and a premium WordPress plugin with no dependable banner fingerprint, so Shodan/Censys-style exposure counts are not trustworthy here.
Disclosure timingNVD shows publication on 2026-05-23; Patchstack shows publication on 2026-05-25; the vendor changelog shows 3.31.0 released on 2026-04-26, which implies the fix likely shipped before public CVE publication.
Researcher / reporting orgThe CNA/source of record is Wordfence in NVD; Patchstack credits the researcher as h0xilo.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to HIGH (7.4/10)

The decisive factor is that exploitation requires authenticated Subscriber+ access, which sharply narrows the reachable population compared with a true unauthenticated web bug. It stays HIGH because this specific product is a membership plugin where subscriber accounts are often easy to obtain legitimately, and successful exploitation ends in complete WordPress administrator takeover.

HIGH Exploit chain and technical impact
MEDIUM Real-world exposure prevalence across enterprise estates

Why this verdict

  • Downward pressure: requires authenticated access — baseline vendor score is 8.8, but the first prerequisite is a live WordPress account with at least Subscriber rights. That means the bug is *not* a cold internet edge exploit and should be scored below unauthenticated takeover flaws.
  • Upward pressure: product context weakens the auth friction — this is a membership plugin, so low-privilege user accounts are often the normal business model, not a rare insider foothold. On many affected sites, an attacker does not need prior host compromise; they may only need to sign up or buy the cheapest account tier.
  • Downward pressure: no current exploitation signal — the prompt's EPSS is 0.00044, the CVE is not in KEV, and I found no primary-source evidence of active campaigns. That argues against emergency-at-scale treatment even though the impact is full site takeover.
  • Upward pressure: blast radius is full application compromise — once the secret key is exposed, the chain leads to administrator account creation and standard WordPress persistence. For the affected site, this is not cosmetic misconfiguration; it is a complete trust-boundary failure.
  • Downward pressure: exposure is narrower than generic WordPress plugin bugs — WishList Member is a premium, more specialized plugin and the vulnerable path sits behind authenticated admin-ajax.php usage. That lowers opportunistic mass-scanning efficiency compared with easily fingerprinted public endpoints.

Why not higher?

This is not unauthenticated remote code execution and not a one-packet internet-edge compromise. The chain depends on an authenticated Subscriber+ session and a working WishList Member API path, which removes a large share of opportunistic attacker population and slows mass exploitation.

Why not lower?

Calling this MEDIUM would ignore the fact that the end state is full administrator takeover with straightforward, low-complexity exploitation once logged in. For membership sites where subscriber creation is part of normal business, the access prerequisite is often a speed bump, not a moat.

05 · Compensating Control

What to do — in priority order.

  1. Upgrade WishList Member to 3.31.0 or later — This is the clean fix and should be your first control. For a HIGH verdict, complete this within 30 days at the latest, and faster on any internet-facing membership property with self-registration enabled.
  2. Disable or tightly gate self-registration — Reduce the cheapest path into the exploit chain by turning off open registration where business permits, or requiring payment approval, invite-only onboarding, stronger CAPTCHA, and MFA. Apply this compensating control within 30 days if patching cannot happen immediately.
  3. Block suspicious wlm3_get_screen AJAX requests — Use your WAF or reverse proxy to inspect POSTs to /wp-admin/admin-ajax.php and deny action=wlm3_get_screen from low-privilege or anonymous contexts where possible. Deploy within 30 days as an interim shield for lagging sites.
  4. Rotate the WishList Member API secret after patching — If the key may already have been exposed, patching alone does not invalidate a stolen credential. Rotate the secret and review API consumers within 30 days, immediately for any site showing suspicious AJAX or API activity.
  5. Hunt for post-exploit artifacts — Review for newly created administrator accounts, new membership levels mapped to administrator, unexpected plugin installs, and calls to /wp-json/wlm3/. Do this within 30 days across all affected sites because the most likely attacker objective is durable site takeover.
What doesn't work
  • Relying on WordPress role separation alone does not help, because the flaw is precisely a failure to enforce authorization in a low-privilege context.
  • A generic perimeter vulnerability scanner will often miss the real risk because exploitation sits behind authentication and application logic rather than a simple version banner.
  • Host EDR alone is late in the chain; it may catch persistence after takeover, but it does not stop the secret-key disclosure or rogue admin creation at the application layer.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or a mounted backup of the web root. Invoke it as bash check-cve-2026-6419.sh /var/www/html with read access to the WordPress installation; no root is required unless filesystem permissions demand it.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2026-6419.sh
# Detects whether WishList Member appears vulnerable to CVE-2026-6419 based on installed version.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=USAGE

set -u

TARGET_VERSION="3.30.1"

usage() {
  echo "Usage: $0 /path/to/wordpress"
  exit 3
}

verlte() {
  # returns 0 if $1 <= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

extract_version() {
  local plugin_dir="$1"
  local v=""

  # Try common metadata files first
  if [ -f "$plugin_dir/readme.txt" ]; then
    v=$(grep -iE '^Stable tag:' "$plugin_dir/readme.txt" | head -n1 | sed -E 's/^Stable tag:[[:space:]]*//I' | tr -d '\r')
    if [ -n "$v" ] && [[ "$v" =~ ^[0-9]+(\.[0-9]+)+$ ]]; then
      echo "$v"
      return 0
    fi
  fi

  # Search top-level PHP files for a plugin header Version field
  while IFS= read -r -d '' f; do
    v=$(head -n 80 "$f" | grep -iE '^\s*Version:' | head -n1 | sed -E 's/^\s*Version:[[:space:]]*//I' | tr -d '\r')
    if [ -n "$v" ] && [[ "$v" =~ ^[0-9]+(\.[0-9]+)+$ ]]; then
      echo "$v"
      return 0
    fi
  done < <(find "$plugin_dir" -maxdepth 1 -type f -name '*.php' -print0 2>/dev/null)

  return 1
}

[ $# -eq 1 ] || usage
WP_ROOT="$1"
PLUGIN_DIR="$WP_ROOT/wp-content/plugins/wishlist-member-x"

if [ ! -d "$WP_ROOT" ]; then
  echo "UNKNOWN: WordPress path does not exist: $WP_ROOT"
  exit 2
fi

if [ ! -d "$PLUGIN_DIR" ]; then
  echo "UNKNOWN: WishList Member plugin directory not found at $PLUGIN_DIR"
  exit 2
fi

VERSION=$(extract_version "$PLUGIN_DIR") || true

if [ -z "${VERSION:-}" ]; then
  echo "UNKNOWN: Could not determine WishList Member version from $PLUGIN_DIR"
  exit 2
fi

if verlte "$VERSION" "$TARGET_VERSION"; then
  echo "VULNERABLE: WishList Member version $VERSION <= $TARGET_VERSION"
  exit 1
else
  echo "PATCHED: WishList Member version $VERSION > $TARGET_VERSION"
  exit 0
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: inventory every WordPress site running WishList Member, identify anything at 3.30.1 or earlier, and assume the risky population is your membership/self-registration sites first. Because this lands in HIGH, apply compensating controls under the noisgate mitigation SLA within 30 days — or faster for internet-facing sites with open registration — then complete the vendor upgrade to 3.31.0+ under the noisgate remediation SLA within 180 days; after patching, rotate the WishList Member API secret and review for unauthorized admin creation.

Sources

  1. NVD CVE-2026-6419
  2. Patchstack advisory for CVE-2026-6419
  3. Wordfence WishList Member vulnerability page with recent CVEs
  4. WishList Member changelog index
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS API documentation
  7. Atomic Edge PoC and WAF rule for CVE-2026-6419
  8. WishList Member version support policy
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.