Skip to main content

Wishlist Member X

4 CVEs product

Monthly

CVE-2026-25446 CRITICAL Act Now

Arbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscriber-level users to upload malicious files, with a CVSS 9.9 score reflecting scope change and full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the low privilege requirement (subscriber is the lowest authenticated WordPress role) makes this trivially reachable on any site permitting user registration. The vulnerability was disclosed via Patchstack and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).

File Upload Wishlist Member X
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-24575 MEDIUM This Month

Broken access control in WishList Member X WordPress plugin (versions ≤ 3.29.0) permits authenticated subscriber-level users to access membership-restricted content without holding the required membership tier. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce authorization checks on protected content access paths, exposing paid or restricted resources to the lowest WordPress authenticated role. No public exploit has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Wishlist Member X
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-37111 HIGH This Week

Missing Authorization vulnerability in Membership Software WishList Member X.26.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wishlist Member X
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-37107 HIGH This Week

Improper Privilege Management vulnerability in Membership Software WishList Member X allows Privilege Escalation.26.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Wishlist Member X
NVD
CVSS 3.1
8.8
EPSS
0.4%
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscriber-level users to upload malicious files, with a CVSS 9.9 score reflecting scope change and full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the low privilege requirement (subscriber is the lowest authenticated WordPress role) makes this trivially reachable on any site permitting user registration. The vulnerability was disclosed via Patchstack and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).

File Upload Wishlist Member X
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in WishList Member X WordPress plugin (versions ≤ 3.29.0) permits authenticated subscriber-level users to access membership-restricted content without holding the required membership tier. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce authorization checks on protected content access paths, exposing paid or restricted resources to the lowest WordPress authenticated role. No public exploit has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Wishlist Member X
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Missing Authorization vulnerability in Membership Software WishList Member X.26.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wishlist Member X
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Improper Privilege Management vulnerability in Membership Software WishList Member X allows Privilege Escalation.26.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Wishlist Member X
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy