WordPress Plugin Vulnerabilities

WishList Member X < 3.26.7 - Subscriber+ Remote Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
wishlist-member-x
Fixed in 3.26.7

References

CVE
CVE-2024-37109
URL
https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-arbitrary-php-code-execution-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
555e2380-952e-499e-a588-0f8ebffaefd8

Timeline

Publicly Published
2024-06-20 (about 1 year ago)
Added
2024-07-02 (about 1 year ago)
Last Updated
2025-10-13 (about 5 months ago)

Other

Published
Title
Published
2025-08-14
Title
Dynamic Pricing With Discount Rules for WooCommerce < 4.5.10 - Authenticated (Shop Manager+) Arbitrary Code Execution
Published
2023-10-30
Title
Ads by datafeedr.com < 1.2.0 - Unauthenticated Remote Code Execution
Published
2025-01-21
Title
GamiPress < 7.2.2 - Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function
Published
2025-07-03
Title
Easy Stripe < 1.2 - Unauthenticated Arbitrary Function Call
Published
2025-10-31
Title
Advanced Ads < 2.0.13 - Unauthenticated Limited Code Execution