Description
Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a broken access control flaw in the WishList Member X plugin up to 3.29.0. The flaw allows a user with subscriber privileges to bypass authorization checks and execute actions or view data that should be protected. The weakness is identified as CWE‑862, missing authorization, and could enable unauthorized data disclosure or privilege escalation within the WordPress site.

Affected Systems

The affected software is the WishList Member X plugin, a WordPress add‑on that manages memberships and access. Versions up to and including 3.29.0 are vulnerable. The plugin is widely used in WordPress installations that rely on its role‑based access control.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. EPSS is not available, so the exploitation likelihood is unclear. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via HTTP requests to the plugin’s endpoints, which is typical for WordPress plug‑in flaws. It is inferred that an attacker would need a subscriber account or could abuse unintended endpoints to push the access control bypass.

Generated by OpenCVE AI on June 18, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WishList Member X to the latest available version that addresses the authorization failure.
  • If an immediate upgrade is not possible, restrict the subscriber role by removing unrestricted capabilities or disabling plugin features that rely on the known vulnerable components.
  • Monitor the WordPress site for anomalous activity such as unexpected data access or privilege changes, and apply additional security controls like role‑based access monitoring or web application firewall rules.

Generated by OpenCVE AI on June 18, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wishlist Member
Wishlist Member wishlist Member X
Wordpress
Wordpress wordpress
Vendors & Products Wishlist Member
Wishlist Member wishlist Member X
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions.
Title WordPress WishList Member X plugin <= 3.29.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Wishlist Member Wishlist Member X
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:28:22.293Z

Reserved: 2026-01-23T12:32:02.839Z

Link: CVE-2026-24575

cve-icon Vulnrichment

Updated: 2026-06-17T14:28:18.480Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:15:06Z

Weaknesses