Impact
This vulnerability is a broken access control flaw in the WishList Member X plugin up to 3.29.0. The flaw allows a user with subscriber privileges to bypass authorization checks and execute actions or view data that should be protected. The weakness is identified as CWE‑862, missing authorization, and could enable unauthorized data disclosure or privilege escalation within the WordPress site.
Affected Systems
The affected software is the WishList Member X plugin, a WordPress add‑on that manages memberships and access. Versions up to and including 3.29.0 are vulnerable. The plugin is widely used in WordPress installations that rely on its role‑based access control.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate severity. EPSS is not available, so the exploitation likelihood is unclear. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via HTTP requests to the plugin’s endpoints, which is typical for WordPress plug‑in flaws. It is inferred that an attacker would need a subscriber account or could abuse unintended endpoints to push the access control bypass.
OpenCVE Enrichment