CVE-2024-37113: 
WordPress vulnerability analysis and mitigation

The WishList Member X WordPress plugin was found to contain a Sensitive Information Exposure vulnerability (CVE-2024-37113) that affects versions prior to 3.26.7. The vulnerability was discovered by Dave Jong and publicly disclosed on June 20, 2024. This security issue allows unauthorized actors to download database backups from affected WordPress sites (Patchstack, WPScan).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impact to confidentiality, integrity, and availability (Patchstack).

The vulnerability allows unauthenticated attackers to extract sensitive information from a site's database through unauthorized access to database backups. This exposure of sensitive data could potentially lead to further exploitation of the affected systems (WPScan).

The vulnerability has been fixed in version 3.26.7 of the WishList Member X plugin. Site administrators are strongly advised to update to this version or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).