Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Subscriber account (PR:L) required over network (AV:N); confidentiality capped at Low (protected content read-only); no integrity or availability impact applies.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions.
AnalysisAI
Broken access control in WishList Member X WordPress plugin (versions ≤ 3.29.0) permits authenticated subscriber-level users to access membership-restricted content without holding the required membership tier. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce authorization checks on protected content access paths, exposing paid or restricted resources to the lowest WordPress authenticated role. No public exploit has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Technical ContextAI
WishList Member X is a WordPress membership management plugin that gates content based on user-assigned membership levels. CWE-862 (Missing Authorization) indicates the plugin omits a server-side authorization check before fulfilling a subscriber's request to access protected resources - the code authenticates the user (confirms they are logged in) but does not verify the user's membership tier against the content's access policy. The affected product is precisely scoped by CPE cpe:2.3:a:wishlist_member:wishlist_member_x:*:*:*:*:*:*:*:*, covering all releases through 3.29.0. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is consistent with a network-accessible WordPress endpoint reachable by any subscriber without additional complexity or interaction.
RemediationAI
Patch available per vendor advisory - update WishList Member X to a version above 3.29.0; however, the exact fixed version number was not independently confirmed from the available data and should be verified against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-broken-access-control-vulnerability before deploying. As an immediate compensating control, site administrators should disable open subscriber registration (Dashboard → Settings → General → uncheck 'Anyone can register') to prevent untrusted users from obtaining the subscriber accounts required for exploitation; the trade-off is that no new users can self-register until the patch is applied. Alternatively, restricting the WishList Member plugin's protected content to only explicitly vetted subscriber accounts reduces the exposure surface while leaving registration open. Neither workaround eliminates the underlying missing authorization flaw.
More in Wishlist Member X
View allArbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscri
Improper Privilege Management vulnerability in Membership Software WishList Member X allows Privilege Escalation.26.7. R
Missing Authorization vulnerability in Membership Software WishList Member X.26.7. Rated high severity (CVSS 7.5), this
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37663