CVE-2026-25445 - Vulnerability Details

- WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.

Published: 2026-03-19

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a Deserialization of Untrusted Data flaw in the WishList Member X WordPress plugin, affecting all releases up to 3.29.0. It enables a malicious actor to inject PHP objects during deserialization, which can lead to arbitrary code execution, privilege escalation, or unauthorized data access when the plugin processes supplied data. The weakness is classified as CWE‑502.

Affected Systems

Any WordPress site that has the WishList Member X plugin installed in a version from the initial release up to and including 3.29.0 is vulnerable. No specific sub‑version range is listed beyond the upper bound of 3.29.0.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of < 1% shows a very low but non‑zero likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack vector is remote, leveraging the plugin’s handling of serialized data—likely via HTTP requests that deliver unchecked payloads. Exploitation would require the attacker to supply crafted serialized input to the plugin, which will be processed without proper validation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Membership Software

WishList Member X

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 3.29.0

No data.

Vendor Product Confidence Versions

Membershipsoftware

Wishlist Member X

99%

Version	Status	Scheme	Platform
`[0,3.29.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WishList Member X to a version newer than 3.29.0 (e.g., 3.30.0 or later).
If an upgrade is not immediately possible, temporarily deactivate the WishList Member X plugin until a patch becomes available.
Configure a web application firewall or similar security solution to block crafted serialized payloads from reaching the plugin’s endpoints.

Generated by OpenCVE AI on April 28, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-php-object-injection-vulnerability?_s_id=cve

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/Wordpress/Plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-php-object-injection-vulnerability?_s_id=cve

Tue, 28 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X wishlist-member-x allows Object Injection.This issue affects WishList Member X: from n/a through <= 3.29.0.	Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.
References		https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-php-object-injection-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-php-object-injection-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.	Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X wishlist-member-x allows Object Injection.This issue affects WishList Member X: from n/a through <= 3.29.0.
References		https://patchstack.com/database/Wordpress/Plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-php-object-injection-vulnerability?_s_id=cve

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Membershipsoftware Membershipsoftware wishlist Member X Wordpress Wordpress wordpress
Vendors & Products		Membershipsoftware Membershipsoftware wishlist Member X Wordpress Wordpress wordpress

Thu, 19 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 19 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.
Title		WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/wishlist-member-x/vulnerability/wordpress-wishlist-member-x-plugin-3-29-0-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Membershipsoftware Wishlist Member X

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-19T08:37:53.763Z

Updated: 2026-04-28T16:14:59.220Z

Reserved: 2026-02-02T12:53:47.193Z

Link: CVE-2026-25445

Vulnrichment

Updated: 2026-03-19T13:16:20.926Z

NVD

Status : Deferred

Published: 2026-03-19T09:16:17.630

Modified: 2026-04-28T19:37:06.707

Link: CVE-2026-25445

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T22:15:41Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object