Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High4
Medium0
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-05-26

CVE-2026-6898 - Wishlist Member Plugin

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

PLUGIN Wishlist Member

CVE-2026-6898

HIGH CVSS 8.8 2026-05-23
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-6897 - Wishlist Member Plugin

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

PLUGIN Wishlist Member

CVE-2026-6897

HIGH CVSS 8.8 2026-05-23
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-6895 - Wishlist Member Plugin

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.

PLUGIN Wishlist Member

CVE-2026-6895

HIGH CVSS 8.8 2026-05-23
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-6419 - Wishlist Member Plugin

The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajax_get_screen() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to supply an arbitrary admin screen identifier via the data[url] parameter, causing the plugin to load and execute the administrative API configuration template without authorization. The rendered HTML, which contains the plugin's plaintext REST API Secret Key, is returned directly to the attacker…

PLUGIN Wishlist Member

CVE-2026-6419

HIGH CVSS 8.8 2026-05-23
Open Full Technical Breakdown
Scroll to top