Attack Vectors

WishList Member X (wishlist-member-x) versions up to and including 3.25.1 have a critical vulnerability (CVSS 10.0) that can be exploited without a login. This means an external attacker can target your website directly over the internet.

Because this issue is an unauthenticated SQL injection (CVE-2024-37112), an attacker may send crafted requests to the site that cause the database to run unintended queries. In practical terms, this can happen quietly in the background and does not require a user to click anything.

Security Weakness

The root cause is insufficient escaping of a user-supplied parameter and a lack of sufficient query preparation in the existing database query, which allows SQL injection in affected versions of the WishList Member X plugin.

According to the public advisory, this weakness can enable attackers to run arbitrary SQL queries—not only reading data but also potentially injecting new information into the database. Reference: CVE-2024-37112 and the Wordfence report at Wordfence Threat Intelligence.

Technical or Business Impacts

Because the attack can be performed without credentials and is rated Critical, the business risk is immediate for organizations running affected versions. Potential impacts include:

Data exposure: Attackers may extract sensitive information stored in the WordPress database (for example, member records, emails, or other stored site data), which can trigger privacy obligations and reputational damage.

Integrity and trust issues: Attackers may inject or alter database content, which can undermine member access rules, corrupt marketing lists, change site content, or disrupt customer journeys.

Operational disruption: Database manipulation can lead to site instability or outages, impacting lead generation, campaign landing pages, and revenue.

Compliance and legal costs: If personal data is exposed, notification requirements, regulatory inquiries, and incident-response costs can escalate quickly—especially for membership-driven businesses.

Remediation: Update the WishList Member X plugin to version 3.26.7 or newer (patched version) as recommended in the advisory.

Similar Attacks

SQL injection has been a recurring cause of major breaches and business disruption. Examples include:

TalkTalk (2015) – attackers exploited a website weakness widely reported as involving SQL injection, leading to significant customer data exposure and business impact.

Heartland Payment Systems and related breaches (U.S. DOJ case) – one of several high-profile cases in which SQL injection was cited as a method used in large-scale data theft.