WordPress Plugin Vulnerabilities

WP Fusion Lite < 3.37.30 - CSRF to Data Deletion

Description

The plugin is vulnerable to Cross-Site Request Forgery via the show_logs_section function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin

Affects Plugins

Plugin icon
wp-fusion-lite
Fixed in 3.37.30

References

CVE
CVE-2021-34661
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34661

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Xu-Liang Liao
Verified
Yes
WPVDB ID
44979222-cf49-4851-80e1-338ccbd9dc8c

Timeline

Publicly Published
2021-08-06 (about 4 years ago)
Added
2021-08-09 (about 4 years ago)
Last Updated
2023-01-25 (about 3 years ago)

Other

Published
Title
Published
2025-02-13
Title
Global Meta Keyword & Description <= 2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-08-29
Title
Tourfic < 2.11.21 - Cross-Site Request Forgery in Multiple Functions
Published
2025-12-31
Title
Custom Style <= 1.0 - Cross-Site Request Forgery
Published
2025-09-22
Title
Custom Post Type Images <= 0.5 - Cross-Site Request Forgery
Published
2023-12-27
Title
Easy PayPal Buy Now Button < 1.8.2 - Cross-Site Request Forgery