A high-severity authorization vulnerability in the WishList Member WordPress plugin allows attackers to modify sensitive data by bypassing capability checks.

The vulnerability exists in the 'WishListMember3_Hooks::generate_api_key' function, which lacks proper capability checks. This allows an unauthorized user to invoke administrative functions and modify system data.

A CVSS score of 8.8 highlights the severity of this flaw. Exploitation could lead to unauthorized API key generation, granting attackers persistent access to the platform and the ability to manipulate member data or compromise sensitive site information.

Immediate Action: Update the WishList Member plugin to the latest version provided by the vendor.

Proactive Monitoring: Check logs for unauthorized calls to API generation functions or unusual administrative activity.

Compensating Controls: Restrict access to the WordPress administrative dashboard to trusted IP addresses only.

Public Exploit Available: false

Missing capability checks are a significant security oversight. Administrators must apply the latest plugin updates immediately to ensure that administrative functions are protected by proper authorization requirements.