WP Fusion Lite <= 3.37.18 Reflected Cross-Site Scripting

Vulnerability

The WP Fusion Lite WordPress plugin, in versions up to and including 3.37.18, contains a reflected cross-site scripting (XSS) vulnerability in the ~/includes/admin/logging/class-log-table-list.php file. The startdate parameter is not properly sanitized or escaped before being output in the log table list page, allowing injection of arbitrary web scripts [1][2].

Exploitation

An attacker can send a crafted URL with a malicious startdate parameter to a logged-in WordPress administrator. No authentication or special privileges are required to trigger the reflected XSS; the victim need only click the crafted link. The vulnerable code path is reachable when the administrator views the log table under the WP Fusion settings [1][2].

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript or HTML into the victim's browser in the context of the WordPress admin dashboard. This can lead to session hijacking, credential theft, or performing administrative actions on behalf of the victim [1][2].

Mitigation

The vendor released a patched version of WP Fusion Lite after 3.37.18. Users should upgrade to the latest version, which sanitizes the startdate parameter appropriately [1]. As an interim workaround, administrators can avoid clicking on untrusted links while logged in [1][2].