WordPress Plugin Vulnerabilities

WishList Member X < 3.26.7 - Unauthenticated Information Exposure

Description

The Wishlist Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.25.1 due to a weakness that allows for unauthorized downloads of the sites database backup. This makes it possible for unauthenticated attackers to extract sensitive information from a sites database.

Affects Plugins

Plugin icon
wishlist-member-x
Fixed in 3.26.7

References

CVE
CVE-2024-37113
URL
https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-database-backup-download-vulnerability

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
d702c18b-c45e-4dee-be28-42ce7764d0ea

Timeline

Publicly Published
2024-06-20 (about 1 year ago)
Added
2024-07-02 (about 1 year ago)
Last Updated
2025-10-29 (about 4 months ago)

Other

Published
Title
Published
2026-01-16
Title
AWP Classifieds < 4.4.4 - Unauthenticated Information Exposure
Published
2021-08-26
Title
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Private Content Disclosure
Published
2025-10-14
Title
External Login <= 1.11.2 - Authenticated (Subscriber+) Sensitive Data Exposure via Test Connection
Published
2025-01-24
Title
Import WP – Export and Import CSV and XML files to WordPress < 2.14.6 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Published
2024-12-19
Title
Seraphinite Accelerator <= 2.22.15 (2.21.13 PRO) - Authenticated (Subscriber+) Information Exposure