WP Fusion Lite CVE-2024-27972
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Jack Arturo WP Fusion Lite wp-fusion-lite.This issue affects WP Fusion Lite: from n/a through <= 3.41.24.
AnalysisAI
Authenticated code injection in the WP Fusion Lite WordPress plugin (versions up to and including 3.41.24) allows low-privileged users to execute arbitrary PHP code on the underlying server. With a CVSS of 9.9 and changed scope, successful exploitation fully compromises the WordPress site and potentially adjacent components; EPSS places this in the top 2% (98th percentile) of vulnerabilities most likely to be exploited, though no public exploit is identified at time of analysis.
Technical ContextAI
WP Fusion Lite by Jack Arturo is a WordPress plugin that connects WordPress sites to CRM and marketing automation platforms, synchronizing user data and triggering automations. The CWE-94 classification indicates the plugin processes attacker-influenced input as code or as parameters to code-evaluation routines (typically via dynamic PHP execution, deserialization of attacker-controlled data, or unsanitized callable references) rather than treating it as inert data. Because the issue affects all known versions through 3.41.24, the defect appears to be a long-standing logic flaw in how the plugin handles privileged operations exposed to authenticated WordPress users.
Affected ProductsAI
WP Fusion Lite by Jack Arturo, all versions from initial release through and including 3.41.24, deployed as a WordPress plugin. The Patchstack advisory (audit@patchstack.com is the reporting source) should be consulted for the canonical affected-version range and CPE mapping, as the upstream record lists the lower bound as 'n/a'.
RemediationAI
Upgrade WP Fusion Lite to version 3.41.25 or later, which is the first release outside the vulnerable range disclosed by Patchstack - confirm the exact fixed version against the Patchstack advisory before deploying. If immediate patching is not possible, restrict who can authenticate to the WordPress site by disabling open user registration and auditing existing Subscriber and Contributor accounts, since PR:L exploitation requires only a low-privileged account; additionally, deactivate the WP Fusion Lite plugin entirely until patched, accepting the trade-off of losing CRM synchronization. A web application firewall with virtual patching rules from Patchstack or comparable providers can block known exploit patterns at the request layer, though this should be treated as defense-in-depth rather than a substitute for upgrading.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today