A high-severity authorization vulnerability in the WishList Member WordPress plugin allows attackers to modify system settings by bypassing capability checks.

The vulnerability exists in the 'WishListMember\Features\Team_Accounts::save_settings' function, which fails to verify user capabilities. This allows unauthorized users to modify plugin settings.

A CVSS score of 8.8 indicates a high risk. Exploitation could allow an attacker to alter core plugin settings, potentially weakening the site's security posture or redirecting member traffic.

Immediate Action: Update the WishList Member plugin to the latest version.

Proactive Monitoring: Regularly review plugin configuration settings for any unexpected changes.

Compensating Controls: Limit access to the WordPress backend to trusted network locations.

Public Exploit Available: false

Capability checks are fundamental to plugin security. Administrators should update the WishList Member plugin immediately to ensure that configuration settings are protected from unauthorized modification.