This vulnerability (CVE-2026-25446) affects WishList Member X versions up to and including 3.29.0, enabling subscribers to upload files of dangerous types without restriction. This arbitrary file upload flaw can be exploited remotely over the network with low attack complexity and requires only low privileges (subscriber level). The vulnerability has a critical CVSS 3.1 base score of 9.9, reflecting its potential for complete system compromise (confidentiality, integrity, and availability impacts). No vendor advisory or patch information is currently available, and the product is not a cloud service, so remediation depends on vendor action or user mitigation.

Successful exploitation allows an attacker with subscriber privileges to upload arbitrary files, potentially leading to full system compromise including unauthorized data access, modification, or denial of service. The vulnerability affects confidentiality, integrity, and availability with high severity as indicated by the CVSS score of 9.9.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting subscriber file upload capabilities or applying compensating controls to limit file types and scanning uploaded content. Monitor vendor channels for updates.