CVE-2024-37112 – This is an unauthenticated SQL injection vulner... (How to Fix)

Q: What is the severity of CVE-2024-37112?

CVE-2024-37112 has a CVSS score of 10.0 (CRITICAL). This is an unauthenticated SQL injection vulnerability in the WordPress WishList Member X plugin. Attackers can execute arbitrary SQL queries on affected websites without needing credentials. All WordPress sites running vulnerable versions of this membership plugin are affected.

📋 TL;DR

This is an unauthenticated SQL injection vulnerability in the WordPress WishList Member X plugin. Attackers can execute arbitrary SQL queries on affected websites without needing credentials. All WordPress sites running vulnerable versions of this membership plugin are affected.

💻 Affected Systems

Products:

WordPress WishList Member X plugin

Versions: All versions before 3.26.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version regardless of configuration.

📦 What is this software?

Wishlist Member by Wishlist Member

View all CVEs affecting Wishlist Member →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, privilege escalation, and full site takeover via arbitrary SQL execution.

🟠

Likely Case

Database information disclosure, user data theft, and potential administrative access to the WordPress site.

🟢

If Mitigated

Limited impact if proper WAF rules and database permissions are configured to restrict SQL execution.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and the exploit requires no authentication.

🏢 Internal Only: LOW - Only affects internet-facing WordPress installations with the vulnerable plugin.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available on Patchstack; SQL injection is a well-understood attack vector with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.26.7

Vendor Advisory: https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-arbitrary-sql-query-execution-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WishList Member X and update to version 3.26.7 or later. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patching is possible

wp plugin deactivate wishlist-member-x

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting this plugin

🧯 If You Can't Patch

Disable the WishList Member X plugin immediately
Implement strict network segmentation and limit database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → WishList Member X version number

Check Version:

wp plugin get wishlist-member-x --field=version

Verify Fix Applied:

Confirm plugin version is 3.26.7 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in WordPress logs
Multiple failed login attempts from single IP
Unexpected database queries

Network Indicators:

HTTP requests with SQL injection patterns to plugin endpoints
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND ("wishlist-member" OR "sql syntax" OR "database error")

📊 Metadata

CVE ID: CVE-2024-37112

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-89

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37112, you might also want to check these: