WordPress Plugin Vulnerabilities

WishList Member X < 3.26.7 - Unauthenticated Arbitrary SQL Execution

Description

The WishList Member X plugin for WordPress is vulnerable SQL Injection in versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to run arbitrary SQL queries that can be used to extract sensitive information from the database and inject new information.

Affects Plugins

Plugin icon
wishlist-member-x
Fixed in 3.26.7

References

CVE
CVE-2024-37112
URL
https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-arbitrary-sql-query-execution-vulnerability

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
9ed283b8-f0b1-4c62-805e-12ff693b89ac

Timeline

Publicly Published
2024-06-20 (about 1 year ago)
Added
2024-07-02 (about 1 year ago)
Last Updated
2025-10-29 (about 4 months ago)

Other

Published
Title
Published
2017-09-22
Title
Gallery < 1.2.1 - Admin+ SQLi
Published
2014-08-01
Title
ENL Newsletter 1.0.1 - wp-admin/admin.php enl-add-new Page id Parameter SQL Injection
Published
2025-03-04
Title
Ultimate Member < 2.10.1 - Unauthenticated SQLi
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Author+ SQL Injection
Published
2025-03-27
Title
WP Subscription Forms < 1.2.4 - Authenticated (Contributor+) SQL Injection