Skip to main content

WP Fusion Lite CVE-2024-27972

CRITICAL
Code Injection (CWE-94)
2024-04-03 audit@patchstack.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 28, 2026 - 13:22 NVD
9.9 (CRITICAL)
CVE Published
Apr 03, 2024 - 12:15 nvd
N/A

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Jack Arturo WP Fusion Lite wp-fusion-lite.This issue affects WP Fusion Lite: from n/a through <= 3.41.24.

AnalysisAI

Authenticated code injection in the WP Fusion Lite WordPress plugin (versions up to and including 3.41.24) allows low-privileged users to execute arbitrary PHP code on the underlying server. With a CVSS of 9.9 and changed scope, successful exploitation fully compromises the WordPress site and potentially adjacent components; EPSS places this in the top 2% (98th percentile) of vulnerabilities most likely to be exploited, though no public exploit is identified at time of analysis.

Technical ContextAI

WP Fusion Lite by Jack Arturo is a WordPress plugin that connects WordPress sites to CRM and marketing automation platforms, synchronizing user data and triggering automations. The CWE-94 classification indicates the plugin processes attacker-influenced input as code or as parameters to code-evaluation routines (typically via dynamic PHP execution, deserialization of attacker-controlled data, or unsanitized callable references) rather than treating it as inert data. Because the issue affects all known versions through 3.41.24, the defect appears to be a long-standing logic flaw in how the plugin handles privileged operations exposed to authenticated WordPress users.

Affected ProductsAI

WP Fusion Lite by Jack Arturo, all versions from initial release through and including 3.41.24, deployed as a WordPress plugin. The Patchstack advisory (audit@patchstack.com is the reporting source) should be consulted for the canonical affected-version range and CPE mapping, as the upstream record lists the lower bound as 'n/a'.

RemediationAI

Upgrade WP Fusion Lite to version 3.41.25 or later, which is the first release outside the vulnerable range disclosed by Patchstack - confirm the exact fixed version against the Patchstack advisory before deploying. If immediate patching is not possible, restrict who can authenticate to the WordPress site by disabling open user registration and auditing existing Subscriber and Contributor accounts, since PR:L exploitation requires only a low-privileged account; additionally, deactivate the WP Fusion Lite plugin entirely until patched, accepting the trade-off of losing CRM synchronization. A web application firewall with virtual patching rules from Patchstack or comparable providers can block known exploit patterns at the request layer, though this should be treated as defense-in-depth rather than a substitute for upgrading.

Share

CVE-2024-27972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy