Wordfence published advisories on 23 May for four authorization failure vulnerabilities in WishList Member, a WordPress plugin that enables subscription-based membership sites with access-controlled content. The plugin has more than 100,000 active installations across membership communities, online course platforms, and subscription news sites.
All four vulnerabilities are scored CVSS 8.8 and share a common exploitability pattern: an authenticated user with subscriber-level access (the lowest authenticated role in WordPress, typically available to any registered member of the site) can exploit them to perform actions reserved for site administrators.
The Four Vulnerabilities
CVE-2026-6419 β AJAX Handler Privilege Escalation: The ajax_get_screen() function in WishList Member processes AJAX requests without verifying that the requesting user has the appropriate capability level. A subscriber-level authenticated user can call this function directly to execute administrative operations β including reading and modifying membership levels, member data, and access control rules.
CVE-2026-6895 β Sensitive Data Disclosure: An authorization check bypass allows subscriber-level users to read sensitive member account data, including email addresses, registration information, and membership status for all members on the site. For sites that handle regulated personal data (GDPR-covered EU member data, for example), this creates a data exposure risk.
CVE-2026-6897 β Arbitrary Data Modification: An authorization failure in a content management endpoint allows subscriber-level users to modify WordPress post metadata and custom fields for arbitrary posts, regardless of post ownership or administrator restrictions. This includes the ability to modify the content visibility rules of posts β potentially unlocking content that was restricted to higher membership tiers.
CVE-2026-6898 β Privilege Escalation to Administrator: The most severe of the four vulnerabilities allows a subscriber-level user to add their account to the WordPress administrator role, achieving full site administrative access. Full WordPress admin access allows arbitrary plugin installation, theme modification, and content management.
Enterprise Impact Context
WishList Member is commonly deployed on:
- Online learning platforms selling course access
- Professional association membership portals
- Subscription newsletter sites handling reader account data
- Corporate intranet portals built on WordPress with membership access controls
For these use cases, the privilege escalation to administrator (CVE-2026-6898) is the most critical: an attacker who registers as a member of the site can use the vulnerability to escalate to site administrator, then install arbitrary WordPress plugins (including those that provide web shells), access all member data, and take over the site entirely.
The sensitive data disclosure (CVE-2026-6895) has separate regulatory implications β for sites collecting personal data from EU residents, subscriber-accessible member data extraction triggers GDPR considerations if exploited.
Remediation
Update WishList Member to the patched version released alongside the Wordfence advisories. The pluginβs update is available through the standard WordPress admin β Plugins β Updates interface.
For sites where immediate updating is not possible: consider removing subscriber self-registration temporarily to prevent unauthenticated attackers from obtaining the subscriber-level access required to exploit the vulnerabilities. This is a significant operational constraint but eliminates the precondition for exploitation.
Post-patch audit: Review the WordPress user role table (wp_usermeta where meta_key = 'wp_capabilities') for any accounts that have been elevated to administrator role that should not have been. Identify any new administrator accounts created during the exposure window.
Share this article