Attack Vectors
WishList Member (plugin slug: wishlist-member-x) versions earlier than 3.26.7 are affected by CVE-2024-37108, a High severity vulnerability (CVSS 8.1; vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
The key risk is that an attacker only needs a logged-in account (Subscriber-level access or higher) to exploit the issue. In practical terms, this means the attack surface includes any WordPress site where users can create accounts (member portals, gated content, customer communities, event sites, partner portals) and where accounts could be created freely or obtained through credential stuffing, phishing, or reused passwords.
Because the vulnerability is exploitable over the network and does not require user interaction, it can be targeted quickly once an attacker has any low-privilege login. This is particularly relevant for marketing-driven sites that rely on frictionless registrations to maximize conversions.
Security Weakness
The plugin is vulnerable to authenticated arbitrary file deletion due to insufficient file path validation in versions up to, but not including, 3.26.7. This weakness can allow a logged-in attacker to delete files that should never be user-controllable.
Even though the attacker’s role is only Subscriber (or higher), the ability to delete arbitrary files shifts the risk profile from “member-area misuse” to “server-level disruption.” In WordPress environments, deleting the wrong file can destabilize the site, break application logic, or open pathways for follow-on compromise.
Reference: CVE-2024-37108. Public vulnerability details and impacted versions have been reported by Wordfence: Wordfence Threat Intel entry.
Technical or Business Impacts
Website outage and revenue loss: Arbitrary file deletion can take a site offline (availability impact is rated high). For marketing and eCommerce programs, downtime directly affects lead generation, paid media ROI, campaign performance, and sales.
Risk of broader compromise: The vulnerability summary notes that deletion of critical files (for example, wp-config.php) can “easily lead to remote code execution” in some scenarios. From a business perspective, this elevates the incident from a simple disruption to a potential full-site compromise with follow-on risks like backdoors, defacement, SEO spam, or malware distribution.
Operational and compliance exposure: Incidents involving unauthorized changes to production systems can trigger customer communications, incident response costs, forensic work, and potential compliance reporting obligations depending on your industry and the data handled on the site. Even when confidentiality is not the primary impact driver here, integrity and availability events can still create contractual and regulatory risk.
Recommended remediation: Update WishList Member to version 3.26.7 or a newer patched release as advised in the source. In parallel, review how Subscriber accounts are created and protected (e.g., limiting open registration where feasible, enforcing strong authentication controls, and monitoring for suspicious logins), since exploitation requires an authenticated user.
Similar Attacks
While the exact mechanics vary by plugin, arbitrary file operations (deletion/write) in WordPress plugins are a common pathway to outages and follow-on compromise:
Wordfence: File Manager plugin vulnerability (2019) and active exploitation
WordPress.org: WordPress Security guidance (defense-in-depth and hardening)
Recent Comments