Description
Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits a subscriber to upload arbitrary files via the WishList Member X plugin’s file upload feature. An attacker can place malicious scripts or executable files in the web‑root, which may then be executed by the web server, thereby compromising the application and the underlying server. The weakness is identified as CWE‑434, which highlights missing file type validation.

Affected Systems

Any WordPress site using WishList Products, LLC’s WishList Member X plugin version 3.29.0 or earlier is affected. No additional vendor or product variants are listed in the advisory.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a direct web‑based upload, where the attacker submits a file through the plugin’s interface. Given the lack of file validation and high impact, the vulnerability is highly exploitable when the plugin is enabled.

Generated by OpenCVE AI on June 18, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WishList Member X to version 3.30.0 or later
  • Disable or remove the file upload functionality of the plugin until the patch is applied, or restrict it to trusted administrators only
  • Add server‑side controls to prevent execution of uploaded files, such as configuring .htaccess or web server rules to block script files in upload directories

Generated by OpenCVE AI on June 18, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wishlist Products
Wishlist Products wishlist Member X
Wordpress
Wordpress wordpress
Vendors & Products Wishlist Products
Wishlist Products wishlist Member X
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
Title WordPress WishList Member X plugin <= 3.29.0 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Wishlist Products Wishlist Member X
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:33.658Z

Reserved: 2026-02-02T12:53:47.193Z

Link: CVE-2026-25446

cve-icon Vulnrichment

Updated: 2026-06-17T13:36:37.769Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:04Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type