CVE-2026-25446 WishList Products, LLC. CVE debrief

Who should care

Administrators and users of the WishList Member X plugin for WordPress, especially those with subscriber roles, should be aware of this vulnerability. Additionally, security teams and IT professionals responsible for maintaining WordPress installations with this plugin should prioritize patching or mitigating this vulnerability.

Technical summary

The CVE-2026-25446 vulnerability is a critical issue in the WishList Member X plugin for WordPress. It allows subscribers to upload arbitrary files, which could lead to code execution, data breaches, or other malicious activities. The vulnerability has a CVSS score of 9.9, indicating a high severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with low privileges and no user interaction.

Defensive priority

critical

Recommended defensive actions

• Update the WishList Member X plugin to a version beyond 3.29.0 immediately.
• Restrict file upload capabilities for subscriber roles.
• Implement additional security measures, such as Web Application Firewalls (WAFs) and intrusion detection systems.
• Monitor WordPress installations and subscriber activity closely for suspicious behavior.
• Consider temporarily disabling the plugin until a patch is applied.
• Review and update incident response plans to address potential exploitation.

Evidence notes

The vulnerability information was obtained from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail pages provide further information about the vulnerability.

Official resources