CVE-2024-37110 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Settings & Users Data Dump vulnerability
https://notcve.org/view.php?id=CVE-2024-37110
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en el software de membresía WishList Member X. Este problema afecta a WishList Member X: desde n/a antes del 3.26.7. The Wishlist Member plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on a function in all versions up to, and including, 3.25.1. This makes it possible for unauthenticated attackers to retrieve settings and user data. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-settings-users-data-dump-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVE-2024-37109 – WordPress WishList Member X plugin < 3.26.7 - Authenticated Arbitrary PHP Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-37109
Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a before 3.26.7. Vulnerabilidad de control inadecuado de la generación de código ("inyección de código") en el software de membresía WishList Member X permite la inyección de código. Este problema afecta a WishList Member X: desde n/a hasta 3.25.1. The Wishlist Member plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.25.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-arbitrary-php-code-execution-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-37106 – WishList Member X <= 3.25.1 - Missing Authorization to Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-37106
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the a function in all versions up to, and including, 3.25.1. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts. • CWE-862: Missing Authorization •