Platform
wordpress
Component
wishlist-member-x
Fixed in
3.26.7
3.26.7
CVE-2024-37109 is a critical Remote Code Execution (RCE) vulnerability discovered in the Wishlist Member plugin for WordPress. This vulnerability allows authenticated attackers, even those with Subscriber-level access, to execute arbitrary code on the server. The vulnerability affects versions of the plugin up to and excluding 3.26.7, and a patch has been released in version 3.26.7.
The impact of this RCE vulnerability is severe. An attacker with Subscriber-level access can gain complete control over the WordPress server, potentially leading to data breaches, website defacement, malware installation, and complete system compromise. This could include accessing sensitive user data stored within the WordPress database, modifying website content, and using the server as a launchpad for further attacks against other systems on the network. The ease of exploitation, requiring only Subscriber privileges, significantly broadens the attack surface.
This vulnerability was publicly disclosed on June 20, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the plugin's popularity suggest a high likelihood of exploitation attempts. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.85% (75% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Wishlist Member plugin to version 3.26.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the plugin's administrative functions to trusted users only. Implement a Web Application Firewall (WAF) with rules to block suspicious requests targeting the vulnerable plugin endpoints. Monitor WordPress logs for unusual activity, particularly requests originating from unauthorized users.
Update to version 3.26.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37109 is a critical Remote Code Execution vulnerability in the Wishlist Member WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using Wishlist Member WordPress plugin versions prior to 3.26.7. Check your plugin version immediately.
Upgrade the Wishlist Member plugin to version 3.26.7 or later. If immediate upgrade is not possible, restrict access and implement WAF rules.
While no active exploitation campaigns have been confirmed, the ease of exploitation suggests a high likelihood of exploitation attempts.
Refer to the Wishlist Member website and WordPress plugin directory for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.