CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37107 – WordPress WishList Member X plugin < 3.26.7 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-37107
Improper Privilege Management vulnerability in Membership Software WishList Member X allows Privilege Escalation.This issue affects WishList Member X: from n/a before 3.26.7. Vulnerabilidad de gestión de privilegios inadecuada en el software de membresía WishList Member X permite la escalada de privilegios. Este problema afecta a WishList Member X: desde n/a hasta 3.25.1. The Wishlist Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.25.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain privileges higher than the ones intended. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37113 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Database Backup Download vulnerability
https://notcve.org/view.php?id=CVE-2024-37113
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en el software de membresía WishList Member X. Este problema afecta a WishList Member X: desde n/a antes del 3.26.7. The Wishlist Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.25.1 due to a weakness that allows for unauthorized downloads of the sites database backup. This makes it possible for unauthenticated attackers to extract sensitive information from a sites database. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-database-backup-download-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37108 – WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-37108
The Wishlist Member plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.25.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the write file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37111 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Denial of Service Attack vulnerability
https://notcve.org/view.php?id=CVE-2024-37111
Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. Vulnerabilidad de autorización faltante en el software de membresía WishList Member X. Este problema afecta a WishList Member X: desde n/a hasta 3.25.1. The Wishlist Member plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 3.25.1. This makes it possible for unauthenticated attackers to limit access to a site. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-denial-of-service-attack-vulnerability?_s_id=cve • CWE-400: Uncontrolled Resource Consumption CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37112 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Arbitrary SQL Query Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-37112
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Membership Software WishList Member X. Este problema afecta a WishList Member X: desde n/a antes de 3.26.7. The WishList Member X plugin for WordPress is vulnerable SQL Injection in versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to run arbitrary SQL queries that can be used to extract sensitive information from the database and inject new information. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-arbitrary-sql-query-execution-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •