Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable upload endpoint exploitable by any subscriber (PR:L per description), no user interaction, webshell escapes plugin scope to compromise host (S:C) with full CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
AnalysisAI
Arbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscriber-level users to upload malicious files, with a CVSS 9.9 score reflecting scope change and full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the low privilege requirement (subscriber is the lowest authenticated WordPress role) makes this trivially reachable on any site permitting user registration. The vulnerability was disclosed via Patchstack and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
Technical ContextAI
WishList Member X is a commercial WordPress membership plugin developed by WishList Products LLC, used to gate site content behind subscription tiers. The flaw falls under CWE-434, meaning the plugin accepts file uploads from authenticated users without sufficiently validating the file type, extension, or content - allowing files such as PHP webshells to be placed in a web-accessible location. Because WordPress executes PHP files served from the uploads directory or plugin directory under the web server user, a successful upload typically translates directly to remote code execution under the PHP-FPM/Apache/Nginx worker context. The CPE confirms the affected product is cpe:2.3:a:wishlist_products,_llc.:wishlist_member_x with all versions through 3.29.0 in scope.
RemediationAI
No vendor-released patch version is identified in the available data; administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-arbitrary-file-upload-vulnerability and upgrade to any version released after 3.29.0 once published by WishList Products. As compensating controls until a fixed release is installed, disable new user registration in WordPress Settings → General (trade-off: blocks legitimate subscriber signups, breaking the plugin's core business function), deactivate the WishList Member X plugin entirely if subscription functionality can be paused, restrict access to the plugin's upload endpoint via web-server rules or a WAF virtual patch (Patchstack offers one for this CVE), and configure the web server to deny execution of PHP files within wp-content/uploads using directory-level handler restrictions (trade-off: may break other plugins that legitimately serve PHP from uploads paths).
More in Wishlist Member X
View allImproper Privilege Management vulnerability in Membership Software WishList Member X allows Privilege Escalation.26.7. R
Missing Authorization vulnerability in Membership Software WishList Member X.26.7. Rated high severity (CVSS 7.5), this
Broken access control in WishList Member X WordPress plugin (versions ≤ 3.29.0) permits authenticated subscriber-level u
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37667