Skip to main content

WishList Member X EUVDEUVD-2026-37663

| CVE-2026-24575 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Subscriber account (PR:L) required over network (AV:N); confidentiality capped at Low (protected content read-only); no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:55 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions.

AnalysisAI

Broken access control in WishList Member X WordPress plugin (versions ≤ 3.29.0) permits authenticated subscriber-level users to access membership-restricted content without holding the required membership tier. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce authorization checks on protected content access paths, exposing paid or restricted resources to the lowest WordPress authenticated role. No public exploit has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Technical ContextAI

WishList Member X is a WordPress membership management plugin that gates content based on user-assigned membership levels. CWE-862 (Missing Authorization) indicates the plugin omits a server-side authorization check before fulfilling a subscriber's request to access protected resources - the code authenticates the user (confirms they are logged in) but does not verify the user's membership tier against the content's access policy. The affected product is precisely scoped by CPE cpe:2.3:a:wishlist_member:wishlist_member_x:*:*:*:*:*:*:*:*, covering all releases through 3.29.0. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is consistent with a network-accessible WordPress endpoint reachable by any subscriber without additional complexity or interaction.

RemediationAI

Patch available per vendor advisory - update WishList Member X to a version above 3.29.0; however, the exact fixed version number was not independently confirmed from the available data and should be verified against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-broken-access-control-vulnerability before deploying. As an immediate compensating control, site administrators should disable open subscriber registration (Dashboard → Settings → General → uncheck 'Anyone can register') to prevent untrusted users from obtaining the subscriber accounts required for exploitation; the trade-off is that no new users can self-register until the patch is applied. Alternatively, restricting the WishList Member plugin's protected content to only explicitly vetted subscriber accounts reduces the exposure surface while leaving registration open. Neither workaround eliminates the underlying missing authorization flaw.

Share

EUVD-2026-37663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy