Attack Vectors

WishList Member (wishlist-member-x) has a Critical vulnerability (CVSS 9.9) that allows authenticated attackers with Subscriber-level access (or higher) to achieve Remote Code Execution in versions prior to 3.26.7. In practical terms, an attacker only needs a basic logged-in account on your WordPress site to attempt to run code on your server.

This is a network-exploitable issue (no physical access needed), requires low attack complexity, and does not require a victim to click anything (no user interaction). If your site allows self-registration, trial memberships, or any workflow where new users can obtain Subscriber access, the exposure and likelihood increase.

Reference: CVE-2024-37109 (source: Wordfence vulnerability record).

Security Weakness

The security weakness is an authenticated Remote Code Execution condition in the WishList Member plugin for WordPress affecting all versions up to, but not including, 3.26.7. Because the required privilege level is only Subscriber+, this bypasses the common assumption that “only admins can cause major harm” and shifts the risk to any environment where standard user accounts exist.

From a governance and compliance perspective, this type of weakness is high risk because it undermines the trust boundary between a normal user account and the underlying server. The published CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates potential for high-impact compromise of confidentiality, integrity, and availability.

Remediation: Update WishList Member to version 3.26.7 or a newer patched version. If you cannot update immediately, reduce exposure by limiting who can create/login to Subscriber accounts, reviewing user lists for unexpected accounts, and tightening access until the patch is applied.

Technical or Business Impacts

If exploited, Remote Code Execution can enable attackers to take actions that directly translate into business harm: defacing the site, stealing customer or member data, disrupting checkout and lead-generation flows, injecting malicious redirects, deploying ransomware, or using your server as a foothold to move into connected systems. This can trigger incident response costs, downtime, lost revenue, reputational damage, and potential regulatory/compliance consequences depending on what data is accessible from the server.

Because the vulnerability is reachable by a low-privilege authenticated user, it can also turn common marketing and membership features (registrations, gated content, newsletters, trial accounts) into an exposure point if not tightly controlled. For leadership teams, the key takeaway is that this is not just a “plugin update” issue—it is a business continuity and data-risk issue until patched.

Similar attacks (real-world examples): Remote code execution vulnerabilities have historically led to large-scale exploitation and urgent patch cycles, including Log4Shell (CVE-2021-44228) guidance from CISA, Apache Struts RCE (CVE-2017-5638) alert from CISA, and Drupal “Drupalgeddon2” (CVE-2018-7600) on NVD.