Description
Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.
Published: 2026-03-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection with potential for Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Deserialization of Untrusted Data flaw in the WishList Member X plugin for WordPress, affecting all releases up to and including 3.29.0. This flaw permits a malicious actor to inject PHP objects during deserialization, which can lead to arbitrary code execution, privilege escalation, or unauthorized data access when the plugin processes supplied data. The weakness is classified as CWE-502.

Affected Systems

Any WordPress site that has the WishList Member X plugin installed in a version from the initial release up to and including 3.29.0 is vulnerable. No specific sub‑version range is listed beyond the upper bound of 3.29.0.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. It is inferred that the attack vector is remote, leveraging the plugin’s handling of serialized data—likely via HTTP requests that deliver unchecked payloads. Exploitation would require the attacker to supply crafted serialized input to the plugin, which will be processed without proper validation.

Generated by OpenCVE AI on March 19, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WishList Member X to a version newer than 3.29.0 (e.g., 3.30.0 or later).
  • If an upgrade is not immediately possible, temporarily deactivate the WishList Member X plugin until a patch becomes available.

Generated by OpenCVE AI on March 19, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Membershipsoftware
Membershipsoftware wishlist Member X
Wordpress
Wordpress wordpress
Vendors & Products Membershipsoftware
Membershipsoftware wishlist Member X
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.
Title WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Membershipsoftware Wishlist Member X
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-19T13:16:32.946Z

Reserved: 2026-02-02T12:53:47.193Z

Link: CVE-2026-25445

cve-icon Vulnrichment

Updated: 2026-03-19T13:16:20.926Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T09:16:17.630

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-25445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:17Z

Weaknesses