CVE-2026-25446: WordPress WishList Member X plugin <= 3.29.0 - Arbitrary File Upload vulnerability
Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file upload vulnerability affects the WishList Member X WordPress plugin at version 3.29.0 and earlier. It is reachable over the network and requires only a low-privilege (subscriber-level) account, with no victim interaction needed. Successful exploitation gives an attacker full read, write, and availability control over the affected environment, including the ability to execute remote code by uploading a malicious file. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as upstream ships a fix.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built WordPress images carrying the affected plugin.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.9 (Critical) and weighting it against each customer's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each organization based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-isolation rules that restrict access to the affected service.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
A low-privilege account (subscriber level) is sufficient; no administrative credentials are needed.
- Victim interactionNot required
The attacker can complete the upload entirely on their own without any action from another user.
- Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special conditions, race timing, or environmental factors to succeed.
Blast Radius
- Attacker uploads and executes arbitrary server-side code, achieving remote code execution on the WordPress host.
- Attacker reads all stored application data, including user records, membership credentials, and any secrets accessible to the web process.
- Attacker modifies or deletes files, database content, and plugin configuration, corrupting site integrity.
- Attacker can crash or destabilize the affected service, causing a full availability outage for site visitors and members.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists for CVE-2026-25446, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment WishList Products, LLC. publishes a fix version. For customers with auto-remediation enabled, that rebuild will be followed by an automated regression test run and a PR opened against affected workloads, with no manual steps required. While no fix is available, customers can use HarborGuard's policy engine to apply compensating controls: network policies that restrict inbound access to WordPress installations carrying the affected plugin version, egress filtering to limit what a compromised container can reach, and feature-flag gating to disable the upload endpoint at the application layer if the plugin supports it. The advisory status is surfaced in the HarborGuard dashboard and will update automatically when upstream publishes a fix.
- WishList Products, LLC. / WishList Member X≤ 3.29.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H