Description

WordPress Plugin WishList Member X is prone to a remote code execution vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploitation may allow attackers to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data or to compromise a vulnerable system. WordPress Plugin WishList Member X version 3.25.1 is vulnerable; prior versions may also be affected.

Remediation

Disable and remove the plugin until a fix is available

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wishlist-member-x/wishlist-member-x-3251-authenticated-subscriber-remote-code-execution

Related Vulnerabilities

OpenSSL Use of Insufficiently Random Values Vulnerability (CVE-2019-1549)

b2evolution Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2007-0175)

WordPress 'comment_post_ID' Parameter SQL Injection Vulnerability (3.0.4)

Joomla! Core 3.x.x Information Disclosure (3.0.0 - 3.9.19)

WordPress Plugin Easy Google Analytics for WordPress Cross-Site Request Forgery (1.6.0)

Severity

High

Classification

CVE-2024-37109 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Code Execution