A missing capability and nonce check in the WishList Member plugin’s ajax_get_screen() function allows an authenticated attacker who has at least Subscriber level access to supply an arbitrary admin screen identifier via the data[url] parameter. The plugin then loads and executes the administrative API configuration template, returning the plugin’s plaintext REST API Secret Key in the AJAX JSON response. Because the key can be used to authenticate to WishList Member’s API, an attacker can create a new membership level assigning the administrator WordPress role and register an arbitrary admin‑level user account, ultimately compromising the entire site. This flaw is classed as CWE‑269 (Improper Privilege Management).

The vulnerability impacts the WishList Member WordPress plugin for all releases up to and including version 3.30.1. Affected customers must be aware that any user who is logged in with at least Subscriber‑level privileges can potentially exploit the flaw. No other products or versions are listed.

With a CVSS score of 8.8, the flaw is rated High severity. EPSS data is not available, but the lack of a nonce and capability check makes the attack trivial for any authenticated subscriber, meaning the probability of exploitation is high whenever logged‑in users exist. The flaw is not listed in the CISA KEV catalog. Exploits would target the wlm3_get_screen AJAX endpoint, submit a crafted data[url] value, and retrieve the API secret key in the JSON response, then use that key to exploit the WishList Member API to create actors with administrator privileges.