CVERadar

CVE-2024-37109

Medium Severity

SVRS

30/100

CVSSv3

8.8/10

EPSS

0.00631/1

CVE-2024-37109: Code Injection vulnerability in WishList Member X. This flaw allows for improper control of code generation, potentially leading to remote code execution. Update to version 3.26.7 or later to mitigate this issue.

CVE-2024-37109 is a critical vulnerability affecting WishList Member X before version 3.26.7, categorized as a CWE-94 'Code Injection' flaw. Despite a CVSS score of 8.8, the SOCRadar Vulnerability Risk Score (SVRS) is 30, indicating a lower level of active real-world threat exploitation compared to the potential severity suggested by CVSS. This means, while serious, the active threat level is not as high as it could be. Successful exploitation could allow attackers to inject and execute malicious code on the server, leading to data breaches and complete system compromise. Although tagged "In The Wild", the moderate SVRS score suggests careful monitoring is advisable while patch application is scheduled.

TAGS

In The Wild

VECTOR STRING

CVSS:3.1

AV:N

AC:L

PR:L

UI:N

S:U

C:H

I:H

A:H

PUBLICATION DATE2024-06-24

LAST MODIFIED2024-08-21

SOCRadar

AI Insight

Description:

CVE-2024-37109 is a critical vulnerability in WishList Member X, a membership software, that allows code injection. This vulnerability enables attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.

Key Insights:

High Severity: The CVSS score of 9.9 indicates the extreme severity of this vulnerability, making it a top priority for remediation.
SVRS of 30: While the SVRS of 30 is lower than the critical threshold of 80, it still signifies a significant risk that requires attention.
Active Exploitation: The "In The Wild" tag indicates that this vulnerability is actively being exploited by hackers, making it imperative to take immediate action.

Mitigation Strategies:

Update Software: Install the latest version of WishList Member X (3.26.7 or later) to patch the vulnerability.
Restrict Access: Limit access to the affected software to only authorized users and implement strong authentication measures.
Monitor Network Traffic: Monitor network traffic for suspicious activity and implement intrusion detection systems to detect and block malicious attempts.
Educate Users: Train users on the importance of cybersecurity and encourage them to report any suspicious activity.

Additional Information:

If you have any further questions regarding this incident, you can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-37109 | Membership Software WishList Member X Plugin up to 3.25.1 on WordPress code injection

vuldb.com2024-06-25

CVE-2024-37109 | Membership Software WishList Member X Plugin up to 3.25.1 on WordPress code injection | A vulnerability, which was classified as critical, was found in Membership Software WishList Member X Plugin up to 3.25.1 on WordPress. This affects an unknown part. The manipulation leads to code injection. This vulnerability is uniquely identified as CVE-2024-37109. It is possible to initiate the attack remotely. There is no exploit available

vuldb.com

rss

forum

news

Social Media

CRAC Learning - Tech

@cracbot

2024-06-29

CVE-2024-37109 (CVSS:9.9, CRITICAL) is Awaiting Analysis. Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows ..https://t.co/osrfB9wkoF #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

CVE

@CVEnew

2024-06-24

CVE-2024-37109 Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Mem… https://t.co/Lw8KEbvvLy

CVEFind.com

@CveFindCom

2024-06-24

[CVE-2024-37109: CRITICAL] Critical Code Injection vulnerability found in WishList Member X software versions 3.25.1 and earlier, allowing unauthorized code execution. Update recommended immediately.#cybersecurity,#vulnerability https://t.co/SipcQoECh3 https://t.co/0PFivrqVU2

Affected Software

No affected software found for this CVE

References

Reference	Link
[email protected]	https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-arbitrary-php-code-execution-vulnerability?_s_id=cve

CWE Details

CWE ID	CWE Name	Description
CWE-94	Improper Control of Generation of Code ('Code Injection')	The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence