Skip to main content

WishList Member X CVE-2026-24575

| EUVDEUVD-2026-37663 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Subscriber account (PR:L) required over network (AV:N); confidentiality capped at Low (protected content read-only); no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:55 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions.

AnalysisAI

Broken access control in WishList Member X WordPress plugin (versions ≤ 3.29.0) permits authenticated subscriber-level users to access membership-restricted content without holding the required membership tier. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce authorization checks on protected content access paths, exposing paid or restricted resources to the lowest WordPress authenticated role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register free subscriber account
Delivery
Authenticate to WordPress site
Exploit
Identify restricted membership content URL
Execution
Send authenticated HTTP request to protected endpoint
Persist
Bypass WishList Member authorization check
Impact
Read premium or restricted content

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber account on the target site - the lowest authenticated WordPress role, freely obtainable on any site with open user registration enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 4.3 (Medium) accurately reflects the constrained blast radius: confidentiality impact is Low (restricted content exposure only), with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running WishList Member X ≤ 3.29.0 with open registration enabled. Authenticated as a subscriber, they send direct HTTP requests to URLs or endpoints serving membership-gated content, which the plugin serves without validating the user's membership tier. …
Remediation Patch available per vendor advisory - update WishList Member X to a version above 3.29.0; however, the exact fixed version number was not independently confirmed from the available data and should be verified against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-broken-access-control-vulnerability before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24575 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy