CVE-2024-37113
📋 TL;DR
CVE-2024-37113 is an unauthenticated database backup download vulnerability in the WishList Member X WordPress plugin. It allows attackers without credentials to download database backups containing sensitive information. This affects all WordPress sites running WishList Member X versions before 3.26.7.
💻 Affected Systems
- WishList Member X WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database exfiltration including user credentials, payment information, personal data, and site configuration, leading to credential theft, financial fraud, and regulatory violations.
Likely Case
Unauthenticated attackers download database backups containing user emails, hashed passwords, membership data, and potentially sensitive configuration details.
If Mitigated
If proper access controls and file permissions are in place, attackers cannot access backup files or the vulnerable endpoint.
🎯 Exploit Status
Exploitation requires simple HTTP requests to specific plugin endpoints. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.26.7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WishList Member X and click 'Update Now'. 4. Verify version shows 3.26.7 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the WishList Member X plugin until patched
wp plugin deactivate wishlist-member-x
Block Backup Endpoint
linuxUse web server configuration to block access to vulnerable plugin endpoints
# Apache: <LocationMatch "\/wp-content\/plugins\/wishlist-member-x.*backup">
Order Deny,Allow
Deny from all
</LocationMatch>
# Nginx: location ~* /wp-content/plugins/wishlist-member-x.*backup { deny all; }
🧯 If You Can't Patch
- Disable the WishList Member X plugin immediately
- Implement strict web application firewall rules to block requests to plugin backup endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WishList Member X version. If version is below 3.26.7, you are vulnerable.Check Version:
wp plugin get wishlist-member-x --field=versionVerify Fix Applied:
Verify plugin version shows 3.26.7 or higher in WordPress admin panel. Test that backup download endpoints return 403/404 errors.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to paths containing '/wp-content/plugins/wishlist-member-x' with 'backup' or 'download' parameters
- Unusual file downloads from plugin directories
- 403/404 errors from blocked backup endpoint attempts
Network Indicators:
- HTTP GET requests to /wp-content/plugins/wishlist-member-x/*backup* endpoints
- Large outbound transfers from WordPress directories
SIEM Query:
source="web_server_logs" AND (uri="/wp-content/plugins/wishlist-member-x*" AND (uri="*backup*" OR uri="*download*"))🔗 References
- https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-database-backup-download-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-database-backup-download-vulnerability?_s_id=cve
