Impact
The vulnerability permits a subscriber to upload arbitrary files via the WishList Member X plugin’s file upload feature. An attacker can place malicious scripts or executable files in the web‑root, which may then be executed by the web server, thereby compromising the application and the underlying server. The weakness is identified as CWE‑434, which highlights missing file type validation.
Affected Systems
Any WordPress site using WishList Products, LLC’s WishList Member X plugin version 3.29.0 or earlier is affected. No additional vendor or product variants are listed in the advisory.
Risk and Exploitability
The CVSS score of 9.9 indicates critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a direct web‑based upload, where the attacker submits a file through the plugin’s interface. Given the lack of file validation and high impact, the vulnerability is highly exploitable when the plugin is enabled.
OpenCVE Enrichment