WP Fusion Lite <= 3.37.18 Cross-Site Request Forgery to Data Deletion
Description
CSRF in WP Fusion Lite ≤3.37.18 allows attackers to delete all plugin logs via the show_logs_section function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in WP Fusion Lite ≤3.37.18 allows attackers to delete all plugin logs via the show_logs_section function.
Vulnerability
The WP Fusion Lite plugin for WordPress, up to and including version 3.37.18, is vulnerable to Cross-Site Request Forgery (CSRF) in the show_logs_section function located in ~/includes/admin/logging/class-log-handler.php. This vulnerability allows an attacker to trick an authenticated administrator into performing an unintended action, specifically the deletion of all plugin logs, without their knowledge or consent.[1][2]
Exploitation
To exploit this vulnerability, an attacker must craft a malicious request that triggers the show_logs_section function. The attacker then needs to convince an authenticated administrator with the appropriate capabilities to perform an action, such as clicking a link or visiting a specially crafted webpage, while the administrator has an active session. No additional authentication or user interaction is required beyond that initial click.[1]
Impact
Successful exploitation results in the complete removal of all log data generated by the WP Fusion Lite plugin. While log deletion itself does not directly affect the confidentiality or integrity of user data, it may hinder debugging and auditing activities, potentially allowing further malicious actions to go undetected. This attack does not achieve privilege escalation or code execution.[1]
Mitigation
The vulnerability has been patched in versions after 3.37.18. Users are strongly advised to update to the latest version of WP Fusion Lite, which is 3.47.11.1 as of the publication date of the advisory. No workarounds are available for affected versions. If an immediate update is not possible, consider restricting access to the admin area to trusted users only.[1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.37.18
- Range: 3.37.18
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `flush_logs` function lacks proper nonce verification, allowing unauthenticated users to trigger log deletion."
Attack vector
An attacker can send a POST request to the `wpf-flush-logs` endpoint without any authentication. This request can be crafted to include a valid nonce value, which can be obtained by an attacker by observing legitimate traffic or through other means. The `flush_logs` function, when triggered, will then delete all plugin logs. [ref_id=1]
Affected code
The vulnerability exists in the `flush_logs` function within the `~/includes/admin/logging/class-log-handler.php` file. This function is responsible for handling the deletion of all plugin logs. The code directly checks for the presence of `$_REQUEST['wpf-flush-logs']` without adequately verifying the source of the request. [ref_id=1]
What the fix does
The patch addresses the vulnerability by ensuring that the `wpf_logs_submit` nonce is always verified before the `flush_logs` function is executed. This prevents unauthenticated users from triggering the log deletion functionality, as they would not possess a valid nonce. The verification is performed using `wp_verify_nonce` to ensure the request originates from a legitimate source. [ref_id=1]
Preconditions
- configThe WP Fusion Lite plugin must be installed and active.
- inputThe attacker needs to obtain a valid nonce value to include in the request.
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-handler.phpmitrex_refsource_MISC
- www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.