The plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts WPScanTeam: The issue was reported as fixed, but the fix was insufficient and a separate advisory has been made for it
https://example.com/wp-admin/tools.php?page=wpf-settings-logs&startdate;=“>&enddate;=”>
CPE | Name | Operator | Version |
---|---|---|---|
wp-fusion-lite | lt | 3.37.30 |