CVE-2024-27972 — AI Deep Analysis Summary

🚨 **Essence**: Critical Remote Code Execution (RCE) in WP Fusion Lite. 📉 **Consequences**: Full server compromise.…

🛡️ **Root Cause**: CWE-94 (Code Injection). 💥 **Flaw**: The plugin uses `call_user_func` with unsanitized input in `class-shortcodes.php`.…

📦 **Product**: WordPress Plugin WP Fusion Lite. 👤 **Vendor**: Jack Arturo. 📅 **Affected Versions**: Versions <= 3.41.24. ⚠️ **Scope**: Any WordPress site running this specific plugin version.

🔓 **Privileges**: Attacker gains the same privileges as the WordPress user (Contributor+). 💾 **Data**: Full Read/Write/Execute access.…

🔑 **Auth Required**: YES. 📊 **Threshold**: Low-Medium. Requires an authenticated account with at least 'Contributor' level privileges. 🌐 **Network**: Network Accessible (AV:N).…

🔥 **Public Exploit**: YES. 📂 **PoC Available**: GitHub repo `truonghuuphuc/CVE-2024-27972-Poc` exists. 🌍 **Wild Exploitation**: High risk.…

🔍 **Self-Check**: 1. Check installed plugins for 'WP Fusion Lite'. 2. Verify version is <= 3.41.24. 3. Scan for `call_user_func` usage in `includes/class-shortcodes.php`. 🛠️ **Tools**: Use WPScan or manual code review.

🩹 **Official Fix**: Update to version > 3.41.24. 📢 **Source**: Patchstack and vendor advisories confirm the fix. ⏳ **Action**: Immediate upgrade is the primary mitigation strategy.

🚧 **No Patch Workaround**: 1. Disable the plugin immediately if not critical. 2. Restrict user roles (remove Contributor+ access if possible). 3. Implement WAF rules to block malicious shortcode injections.…

🚨 **Urgency**: CRITICAL (CVSS 9.8). 📢 **Priority**: Patch IMMEDIATELY. This is an RCE vulnerability with a public PoC. Delaying puts the entire WordPress infrastructure at severe risk of compromise.