A missing authorization check in the export_settings function of the Wishlist Member plugin allows an authenticated user with Subscriber+ privileges to receive the plugin’s REST API secret key in an AJAX JSON response. With this key, the attacker can authenticate to the plugin’s API, create a membership level that grants the WordPress administrator role, and register an arbitrary user with that role, effectively taking over the site. This flaw hinges on a lack of capability verification, making it a classic Privilege Escalation vulnerability that also leaks a sensitive credential. The impact is full control of the WordPress installation, including the ability to add users, modify settings, and access or delete site content.

The vulnerability affects all installations of the Wishlist Member plugin for WordPress up to and including version 3.30.1. Any site using those versions is at risk; newer releases are presumed to contain the fix.

The CVSS score of 8.8 classifies this flaw as High severity, with a high likelihood of exploitation in a site that has any Subscriber+ user. Although an EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the nature of the attack—returning a secret key via a public API endpoint—indicates that exploitation could occur without complex prerequisites. An attacker needs only an authenticated session with limited privileges to trigger the export_settings action and exploit the disclosed secret key.