CVE-2024-37112: 
WordPress vulnerability analysis and mitigation

A critical SQL Injection vulnerability (CVE-2024-37112) was discovered in the WordPress WishList Member X plugin affecting versions before 3.26.7. The vulnerability was reported by Dave Jong from Patchstack on February 10, 2024, and was publicly disclosed on June 20, 2024 (Patchstack Report).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with CWE-89. It received a critical CVSS v3.1 score of 10.0 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating the highest possible severity. The issue stems from insufficient escaping of user-supplied parameters and lack of proper SQL query preparation (WPScan Report).

This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against the target database. The impact includes potential data theft, unauthorized data modification, and possible exposure of sensitive information stored in the WordPress database (Patchstack Report).

Site administrators are strongly advised to update to WishList Member X version 3.26.7 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Report).