Skip to main content

WishList Member X EUVDEUVD-2026-37667

| CVE-2026-25446 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable upload endpoint exploitable by any subscriber (PR:L per description), no user interaction, webshell escapes plugin scope to compromise host (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:26 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.

AnalysisAI

Arbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscriber-level users to upload malicious files, with a CVSS 9.9 score reflecting scope change and full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the low privilege requirement (subscriber is the lowest authenticated WordPress role) makes this trivially reachable on any site permitting user registration. The vulnerability was disclosed via Patchstack and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).

Technical ContextAI

WishList Member X is a commercial WordPress membership plugin developed by WishList Products LLC, used to gate site content behind subscription tiers. The flaw falls under CWE-434, meaning the plugin accepts file uploads from authenticated users without sufficiently validating the file type, extension, or content - allowing files such as PHP webshells to be placed in a web-accessible location. Because WordPress executes PHP files served from the uploads directory or plugin directory under the web server user, a successful upload typically translates directly to remote code execution under the PHP-FPM/Apache/Nginx worker context. The CPE confirms the affected product is cpe:2.3:a:wishlist_products,_llc.:wishlist_member_x with all versions through 3.29.0 in scope.

RemediationAI

No vendor-released patch version is identified in the available data; administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-arbitrary-file-upload-vulnerability and upgrade to any version released after 3.29.0 once published by WishList Products. As compensating controls until a fixed release is installed, disable new user registration in WordPress Settings → General (trade-off: blocks legitimate subscriber signups, breaking the plugin's core business function), deactivate the WishList Member X plugin entirely if subscription functionality can be paused, restrict access to the plugin's upload endpoint via web-server rules or a WAF virtual patch (Patchstack offers one for this CVE), and configure the web server to deny execution of PHP files within wp-content/uploads using directory-level handler restrictions (trade-off: may break other plugins that legitimately serve PHP from uploads paths).

Share

EUVD-2026-37667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy