Freemius SDK Vulnerabilities Affect Hundreds of WordPress Plugins and Themes
CVE-2022-4974

6.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Yasr – Yet Another Star Rating Plugin For WordPress
Events Addon For Elementor
Fraud Prevention For WooCommerce And Edd
Gutenberg Blocks – Acf Blocks Suite
Vendor
CVE Published:
16 October 2024

Summary

The Freemius SDK, utilized by numerous WordPress plugin and theme developers, is susceptible to security flaws that permit Cross-Site Request Forgery and information disclosure. This is attributed to the absence of adequate capability checks and nonce protection measures on critical functions such as _get_debug_log, _get_db_option, and _set_db_option. Versions of the Freemius SDK prior to 2.4.3 exhibit these vulnerabilities, making any WordPress plugin or theme utilizing these versions susceptible to exploitation.

Affected Version(s)

3D Viewer – 3D Model Viewer Plugin * < 1.2.7

A no-code page builder for beautiful performance-based content * < 2.1.17

Abeta Link PunchOut *

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-...
https://freemius.com/blog/managing-security-issues-open-s...

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.