CVE-2024-37110
📋 TL;DR
CVE-2024-37110 is an unauthenticated information disclosure vulnerability in the WordPress WishList Member X plugin. It allows attackers without credentials to dump sensitive user data and settings. All WordPress sites running vulnerable versions of this membership plugin are affected.
💻 Affected Systems
- WordPress WishList Member X plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all member data including personal information, payment details, and administrative settings, leading to data breach, identity theft, and complete site compromise.
Likely Case
Unauthenticated attackers will access and download user data including email addresses, usernames, and membership levels, enabling targeted phishing attacks and privacy violations.
If Mitigated
With proper network segmentation and access controls, impact would be limited to exposed WordPress instances only.
🎯 Exploit Status
The vulnerability requires no authentication and has public proof-of-concept available, making exploitation trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.26.7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WishList Member X and click 'Update Now'. 4. Verify version shows 3.26.7 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patching is possible
wp plugin deactivate wishlist-member-x
Web Application Firewall Rule
allBlock access to vulnerable plugin endpoints
# Add WAF rule to block requests to /wp-content/plugins/wishlist-member-x/*
🧯 If You Can't Patch
- Implement strict network access controls to limit WordPress admin interface exposure
- Enable web application firewall with rules blocking suspicious data export requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WishList Member X versionCheck Version:
wp plugin list --name=wishlist-member-x --field=versionVerify Fix Applied:
Verify plugin version is 3.26.7 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to wishlist-member-x plugin endpoints
- Large data exports from non-admin IP addresses
- 403/404 errors for blocked exploit attempts
Network Indicators:
- Unusual outbound traffic patterns after accessing plugin endpoints
- Data exfiltration to unknown external IPs
SIEM Query:
source="wordpress.log" AND (uri="/wp-content/plugins/wishlist-member-x/*" OR user_agent="*wishlist*exploit*")🔗 References
- https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-settings-users-data-dump-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-settings-users-data-dump-vulnerability?_s_id=cve
