External risk intelligence

WishList Member X Subscriber Arbitrary File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-25446

A critical arbitrary file upload vulnerability exists in the WishList Member X plugin, allowing authenticated users to upload malicious files, potentially leading to website compromise. This vulnerability is externally reachable, posing a risk to web application integrity and availability.

Unrestricted File Upload

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which is a type of web application component. WordPress sites and their plugins are typically deployed as internet-facing web services, making the attack surface readily reachable from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

A critical security vulnerability has been identified in the WishList Member X plugin, which allows for arbitrary file uploads. This means an attacker could potentially upload malicious files to a website using this plugin, leading to a compromise of the site's integrity and data. The primary concern is confirming if this plugin is in use and if it is exposed to external threats.

  • Allows unauthorized file uploads.
  • Potential for website compromise.
  • Confirm usage and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading a malicious file through a user account with lower privileges. This file upload functionality is present in the WishList Member X plugin. Successful exploitation could lead to a complete compromise of the affected system.

  • Requires authenticated user access.
  • Triggered by uploading a crafted file.
  • Leads to arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated subscriber to upload arbitrary files to a web server. When supported by the advisory, this could impact the integrity and availability of the web application and potentially lead to the execution of malicious code if the uploaded file is processed by the server.

  • Web server files and integrity.
  • Arbitrary file upload by subscriber.
  • Server compromise or disruption.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical arbitrary file upload vulnerability in WishList Member X impacts WordPress sites. Application owners and infrastructure teams are likely responsible for managing this plugin. The first practical step is to identify all instances of the affected plugin, determine their exposure and business criticality, and then assign ownership for remediation.

  • Plugin owners should manage remediation.
  • Verify affected plugin instances and exposure.
  • Plan maintenance for risk reduction.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-25446 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability allows unauthenticated attackers to upload arbitrary files, potentially leading to code execution on affected systems. Because it is network-accessible and has a high impact, it is considered relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is WishList Member X?

WishList Member X is a plugin designed for WordPress, the widely used content management system. Plugins like this extend the core functionality of a website, specifically providing features for managing member subscriptions and access control. Because it integrates directly into the WordPress environment, it handles user data and server-side operations that are essential for running gated or membership-based web content.

What does CWE-434 mean for CVE-2026-25446?

This vulnerability is classified as CWE-434, which refers to Unrestricted Upload of File with Dangerous Type. In plain English, the software fails to properly check or limit the types of files users are allowed to upload. Because the plugin does not correctly validate these files, it may accept and save malicious scripts, allowing an attacker to place harmful code onto the web server.

How is this arbitrary file upload triggered?

An attacker triggers this flaw by interacting with the plugin's file upload feature using an account that has at least subscriber-level privileges. The vulnerability does not trigger through public or unauthenticated access; it requires the attacker to be a logged-in user. Simply visiting the site or browsing pages without an active, authenticated session does not initiate the upload process.

Why does Halo Surface Signal flag this as relevant?

Halo Surface Signal flags this as relevant because WishList Member X is a WordPress plugin, which typically operates within web applications accessible from the public internet. Since these services are designed to be reached by users globally, the functionality required to trigger the file upload is also reachable, meaning the potential for compromise exists if the site is internet-facing.

What should I do if I use this plugin?

The most important first step is to perform an inventory of your WordPress environment to confirm where WishList Member X is installed. Once identified, evaluate the business role of those specific sites and coordinate with your technical or maintenance teams to restrict plugin access or prepare for a security update. Managing these instances centrally helps ensure you can apply necessary changes without disrupting your site's availability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished