WordPress Plugin Vulnerabilities

WP Fusion Lite < 3.37.30 - Reflected Cross-Site Scripting (XSS)

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts

WPScanTeam: The issue was reported as fixed, but the fix was insufficient and a separate advisory has been made for it

Proof of Concept

Affects Plugins

Plugin icon
wp-fusion-lite
Fixed in 3.37.30

References

CVE
CVE-2021-34660
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34660

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Xu-Liang Liao
Verified
Yes
WPVDB ID
4a4934d6-282d-4e8c-922a-6b1f12884191

Timeline

Publicly Published
2021-08-06 (about 4 years ago)
Added
2021-08-09 (about 4 years ago)
Last Updated
2023-01-25 (about 3 years ago)

Other

Published
Title
Published
2025-03-04
Title
Simple Notification <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-04-16
Title
EnvíaloSimple: Email Marketing y Newsletters < 2.3 - Reflected Cross-Site Scripting
Published
2024-03-01
Title
Nextend Social Login and Register < 3.1.13 - Reflected Self-Based Cross-Site Scripting via error_description
Published
2025-09-22
Title
Product Catalog Simple < 1.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-24
Title
Tooltip <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting