Platform
wordpress
Component
wishlist-member-x
Fixed in
3.26.7
3.26.7
CVE-2024-37108 is an arbitrary file access vulnerability discovered in the Wishlist Member plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete files on the server. The most severe consequence is potential remote code execution if critical files like wp-config.php are deleted, compromising the entire WordPress installation. This vulnerability affects versions of Wishlist Member up to and excluding 3.26.7.
The primary impact of CVE-2024-37108 is the ability for an authenticated attacker to delete arbitrary files on a WordPress server. While seemingly limited to file deletion, the vulnerability's severity stems from the potential to delete critical configuration files. Deletion of wp-config.php, for example, would effectively grant the attacker complete control over the WordPress instance, allowing for arbitrary code execution. This could lead to data breaches, website defacement, malware installation, and complete system compromise. The relatively low access requirement (Subscriber level) significantly expands the potential attack surface.
CVE-2024-37108 was publicly disclosed on June 20, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, combined with the plugin's popularity, suggests that it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.28% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37108 is to immediately upgrade the Wishlist Member plugin to version 3.26.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker's ability to delete sensitive files. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests. Monitor WordPress access logs for unusual file deletion activity. After upgrading, verify the fix by attempting a file deletion request with a low-privileged user account to confirm that access is properly restricted.
Update to version 3.26.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37108 is a vulnerability in the Wishlist Member WordPress plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution if critical files are deleted.
You are affected if your WordPress site uses the Wishlist Member plugin and is running a version prior to 3.26.7. Check your plugin version immediately.
Upgrade the Wishlist Member plugin to version 3.26.7 or later. If immediate upgrade is not possible, implement temporary mitigations like restricting file permissions and using a WAF.
As of June 2024, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the Wishlist Member website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2024-37108.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.