Freemius SDK bis 2.0.1 auf WordPress _get_debug_log/_get_db_option/_set_db_option Cross Site Request Forgery

CVSS Meta Temp ScoreAktueller Exploitpreis (≈)CTI Interest Score
5.2$0-$5k0.00

Zusammenfassunginfo

Eine problematische Schwachstelle wurde in Freemius SDK bis 2.0.1 für WordPress ausgemacht. Es geht dabei um die Funktion _get_debug_log/_get_db_option/_set_db_option. Durch Manipulieren mit unbekannten Daten kann eine Cross Site Request Forgery-Schwachstelle ausgenutzt werden. Diese Schwachstelle wird als CVE-2022-4974 gehandelt. Der Angriff kann über das Netzwerk passieren. Es ist kein Exploit verfügbar. Es wird empfohlen, die betroffene Komponente zu aktualisieren.

Detailsinfo

Eine Schwachstelle wurde in Freemius SDK bis 2.0.1 auf WordPress entdeckt. Sie wurde als problematisch eingestuft. Davon betroffen ist die Funktion _get_debug_log/_get_db_option/_set_db_option. Durch das Manipulieren mit einer unbekannten Eingabe kann eine Cross Site Request Forgery-Schwachstelle ausgenutzt werden. Klassifiziert wurde die Schwachstelle durch CWE als CWE-352. Die Auswirkungen sind bekannt für die Integrität. Die Zusammenfassung von CVE lautet:

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Das Advisory findet sich auf wordfence.com. Die Verwundbarkeit wird seit dem 15.10.2024 mit der eindeutigen Identifikation CVE-2022-4974 gehandelt. Sie gilt als leicht auszunutzen. Umgesetzt werden kann der Angriff über das Netzwerk. Das Ausnutzen erfordert keine spezifische Authentisierung. Eine Ausnutzung erfordert, dass das Opfer eine spezifische Handlung durchführt. Zur Schwachstelle sind technische Details bekannt, ein verfügbarer Exploit jedoch nicht.

Ein Aktualisieren auf die Version 2.0.2 vermag dieses Problem zu lösen.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Betroffen

  • YASR – Yet Another Star Rating Plugin for WordPress
  • Events Addon for Elementor
  • Fraud Prevention For WooCommerce and EDD
  • Gutenberg Blocks – ACF Blocks Suite
  • Ultimeter
  • Past Events Extension
  • Pootle Pagebuilder – WordPress Page builder
  • Local Delivery Drivers for WooCommerce
  • Ultimate Gutenberg – Custom Block Templates
  • WP Required Taxonomies – Categories and Tags Mandatory
  • Featured Products First for WooCommerce – A Extension of WooCommerce (WooCommerce Addon Plugin)
  • SSL Certificate – Free SSL, HTTPS by SSL Zen
  • Streak CRM For Gmail For Contact Form 7 – WordPress Plugin
  • WordPress Dev Powers – ACF Color Coded Field Types Plugin
  • DancePress (TRWA)
  • Product Size Charts Plugin for WooCommerce
  • Wp My Admin Bar
  • A no-code page builder for beautiful performance-based content
  • LocalSEOMap
  • Easy Prayer
  • AdFoxly – Ad Manager, AdSense Ads & Ads.txt
  • WP Get Personal
  • Checkout with Cash App on EDD
  • Server Info
  • Custom WooCommerce Checkout Fields Editor
  • KRSP Frontend File Uploader
  • Panorama Viewer- Best Plugin to Display Panoramic Images/Videos
  • Bulk Attachment Download
  • AutoSave Net
  • Premmerce Wholesale Pricing for WooCommerce
  • Any Popup – Popup Forms, Optins & Ads
  • Checkout with Venmo on EDD
  • Payment gateway per Product for WooCommerce
  • HQTheme Extra
  • Vit Website Reviews
  • WooCommerce EU VAT Assistant
  • WordPress Slider Block Gutenslider
  • HuCommerce | Magyar WooCommerce kiegészítések
  • KVoucher
  • Video Player for YouTube
  • Error Log Monitor
  • SlideDeck: Responsive WordPress Slider Plugin
  • Premmerce Multi-currency for Woocommerce
  • Booking Addon for WooCommerce
  • WP Event Partners – WordPress Plugin for Event and Conference Management
  • WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square Plugin
  • Add Expires Headers & Optimized Minify
  • ForceField
  • FIT: Featured Image Toolkit
  • All in One Invite Codes
  • Dynamic Pricing and Discount Rules for WooCommerce
  • Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
  • Grid & Styler For Contact Form 7 And Divi
  • Protect Uploads with Login – Protect Your Uploads
  • Atlas – Knowledge Base
  • Simple Sitemap – Create a Responsive HTML Sitemap
  • Super Video Player- Best WordPress Video Display Plugin for mp4/OGG
  • WordPress Books Gallery
  • FiboSearch – Ajax Search for WooCommerce
  • Tag Groups is the Advanced Way to Display Your Taxonomy Terms
  • WP Free SSL – Free SSL Certificate for WordPress and force HTTPS
  • ClickerVolt – Affiliate Links & Click Tracking for Performance Marketers
  • ConsultPress Lite
  • Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7
  • StreamWeasels Twitch Integration
  • Mobile View for Responsive web design optimization (UX design) + Mobile Friendly Test
  • Zip Code Redirect
  • Guestofy – Restaurant Reservations Plugin, Room Planer, Reservation Form
  • CF7 Constant Contact Fields Mapping
  • Booking Calendar | Appointment Booking | Bookit
  • EthereumICO
  • RT Easy Builder – Advanced addons for Elementor
  • WP Contact Slider
  • Country Based Payments for WooCommerce
  • Filr – Secure document library
  • Elasta
  • MapGeo – Interactive Geo Maps
  • WordPress Animation Plugin – Animated Everything
  • WP Notification Bell
  • Activity Log For MainWP
  • Connected Sermons
  • Bulk Edit and Create User Profiles – WP Sheet Editor
  • Кнопка ЮMoney
  • Bulk WooCommerce Category Creator
  • Easy Math Captcha for CF7
  • Master Accordion ( Former WP Awesome FAQ Plugin )
  • Better Elementor Addons
  • Elementor Addons by Livemesh
  • Place Order Without Payment for WooCommerce
  • STEWoo – Super Transactional Emails for WooCommerce
  • DeMomentSomTres Address
  • Out of stock display for woocommerce
  • Ultimate Blocks – WordPress Blocks Plugin
  • Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)
  • WP Radio – Worldwide Online Radio Stations Directory for WordPress
  • BookPress – For Book Authors
  • Qyrr – simply and modern QR-Code creation
  • WordPress Directory Plugin For Business Listings – WP Local Plus
  • Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors
  • Funnelmentals
  • Blockspare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
  • Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook
  • Product Carousel For WooCommerce – WoorouSell
  • WordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & Rankings
  • GFireM Fields
  • Coupon Affiliates – Affiliate Plugin for WooCommerce
  • WP Post Block
  • LMS Plugin – eLearning, Online Courses by Attest
  • Frontend Admin by DynamiApps
  • Simple Giveaways – Grow your business, email lists and traffic with contests
  • WPTools Masonry Gallery & Posts For Divi
  • GFireM Action After
  • Woo Ukrposhta
  • annasta Woocommerce Product Filters
  • WP Lead Stream
  • The Events Calendar
  • Focus on Reviews for WooCommerce
  • Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)
  • Block Styler For Gravity Forms
  • WP Page Templates
  • Product Customer List for WooCommerce
  • WP Moose
  • Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More
  • Floating Social Share Icons and Social Share buttons – Next Previous Post Links – FL
  • South Pole: Climate action now
  • LittleBot Invoices
  • Genealogical Tree – WordPress Family Tree
  • Automatic YouTube Gallery
  • Thank You Page for WooCommerce
  • Marijuana Age Verify
  • WooCommerce upcoming Products
  • Frontend Admin – Add and edit posts, pages, users and more all from the frontend
  • SV Tracking Manager
  • WP EasyPay – Square for WordPress
  • WordPress SEO Checklist
  • wGauge – Free Version
  • Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)
  • Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
  • WP Tools Divi Product Carousel
  • Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
  • Social Gallery Lite
  • Stackable – Page Builder Gutenberg Blocks
  • Five-Star Ratings Shortcode
  • CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress
  • Premmerce Wishlist for WooCommerce
  • Salon Booking System
  • Surbma | GDPR Proof Cookie Consent & Notice Bar
  • Advance Menu Manager
  • Live TV Player – Worldwide Live TV Channels Player for WordPress
  • Market Exporter
  • WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer
  • TK Google Fonts GDPR Compliant
  • Starfish Review Generation & Marketing for WordPress
  • WP Emaily
  • Education Addon for Elementor
  • SV Proven Expert
  • SurveyFunnel – Survey Plugin for WordPress
  • Advanced Classifieds & Directory Pro
  • Music Player for Elementor – Audio Player & Podcast Player
  • Cryptocurrency Product for WooCommerce
  • WooCommerce Next Order Coupon
  • Overlay Image Divi Module
  • Email Header Footer
  • Document Viewer- Plugin to Display MS Office Docs
  • Price Bands for WooCommerce
  • Elementor Addon Elements
  • Smart Variations Images & Swatches for WooCommerce
  • Featured Images in RSS for Mailchimp & More
  • Simple Sponsorships
  • Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
  • Joli Table Of Contents
  • Sparrow: Product Reviews and Ratings for WooCommerce
  • Multi Page Auto Advance for Gravity Forms
  • Generate Images – Magic Post Thumbnail
  • Live Scores for SportsPress
  • Hide Shipping Method For WooCommerce
  • Ultimate Carousel For Divi
  • WP Meta and Date Remover
  • Image Carousel For Divi
  • Comments Not Replied To
  • Contact Form 7 – Capsule CRM – Integration
  • Opensea
  • WordPress Translation plugin for Post, Pages & WooCommerce products. Tranzly IO AI DeepL automatic WordPress Translator.
  • Pixel Manager for WooCommerce – Track Google Analytics, Google Ads, TikTok and more
  • Modern Addons for Elementor Page Builder
  • Viralike
  • WordPress Dev Powers – Element Selector jQuery Powers Plugin
  • WP Munich Blocks – Gutenberg Blocks for WordPress
  • Availability datepicker – Integrate with Contact Form 7 and Divi
  • Footer Plugin for Divi
  • Accept Stripe Donation and Payments – AidWP
  • New User Approve
  • GFireM Advance Search
  • WPMailer – The best mail builder, No More Core for your emails support Elementor, CF7 forms etc…
  • Shared Files – Frontend File Upload Form & Secure File Sharing
  • WPBITS Addons For Elementor Page Builder
  • Speculor
  • WP Google Street View (with 360° virtual tour) & Google maps + Local SEO
  • WordPress Everse Starter Sites – Elementor Templates
  • Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
  • Choice Payment Gateway for WooCommerce
  • Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)
  • Order and Inventory Manager for WooCommerce
  • Ninja Libs Amazon SES
  • Delete All Comments of wordpress
  • WP-Cron Status Checker
  • CodeKit – Custom Codes Editor
  • FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
  • Change Price Title for WooCommerce
  • WordPress Gallery Plugin – Edge Photo Gallery
  • Glorious Services & Support
  • Easy Newsletter Signups
  • Announcement & Notification Banner – Bulletin
  • Advanced Database Replacer
  • Multisite Robots.txt Manager
  • Simple Social Page Widget & Shortcode
  • WooCommerce Country Catalogs – Product Country Restrictions
  • Front End PM
  • Ultimate Divi Modules Suite – Divi Sumo Lite
  • XT Points & Rewards for WooCommerce
  • Widgets for WooCommerce Products on Elementor
  • Delivery for WooCommerce
  • WP SMS Plugin – WordPress SMS Two Factor Authentication – 2FA, Two Factor, OTP SMS and Email
  • Security Ninja – Secure Firewall & Secure Malware Scanner
  • TinyMCE Annotate
  • Justified Gallery
  • Book BuyBack Prices
  • Fuse Social Floating Sidebar
  • WP-HR Manager: The Human Resources Plugin for WordPress
  • Emails Blacklist for Everest Forms
  • All-in-One Video Gallery
  • Woo Admin Product Notes
  • Remove Add to Cart WooCommerce
  • Checkout with Zelle on Woocommerce
  • WP Tools Gravity Forms Divi Module
  • Everse
  • Run time Image resizing
  • Rest Routes – Custom Endpoints

Produktinfo

Typ

Name

Version

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Zuverlässigkeit: 🔍

CVSSv3info

VulDB Meta Base Score: 5.3
VulDB Meta Temp Score: 5.2

VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Zuverlässigkeit: 🔍

CNA Base Score: 6.3
CNA Vector (Wordfence): 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VektorKomplexitätAuthentisierungVertraulichkeitIntegritätVerfügbarkeit
freischaltenfreischaltenfreischaltenfreischaltenfreischaltenfreischalten
freischaltenfreischaltenfreischaltenfreischaltenfreischaltenfreischalten
freischaltenfreischaltenfreischaltenfreischaltenfreischaltenfreischalten

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Zuverlässigkeit: 🔍

Exploitinginfo

Klasse: Cross Site Request Forgery
CWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍

Physisch: Nein
Lokal: Nein
Remote: Ja

Verfügbarkeit: 🔍
Status: Nicht definiert

EPSS Score: 🔍
EPSS Percentile: 🔍

Preisentwicklung: 🔍
Aktuelle Preisschätzung: 🔍

0-Dayfreischaltenfreischaltenfreischaltenfreischalten
Heutefreischaltenfreischaltenfreischaltenfreischalten

Threat Intelligenceinfo

Interesse: 🔍
Aktive Akteure: 🔍
Aktive APT Gruppen: 🔍

Gegenmassnahmeninfo

Empfehlung: Upgrade
Status: 🔍

0-Day Time: 🔍

Upgrade: Freemius SDK 2.0.2

Timelineinfo

15.10.2024 🔍
16.10.2024 +1 Tage 🔍
16.10.2024 +0 Tage 🔍
05.03.2025 +140 Tage 🔍

Quelleninfo

Advisory: wordfence.com
Status: Bestätigt

CVE: CVE-2022-4974 (🔍)
GCVE (CVE): GCVE-0-2022-4974
GCVE (VulDB): GCVE-100-280595

Eintraginfo

Erstellt: 16.10.2024 10:22
Aktualisierung: 05.03.2025 09:02
Anpassungen: 16.10.2024 10:22 (66), 05.03.2025 09:02 (3)
Komplett: 🔍
Cache ID: 216::103

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Diskussion

Bisher keine Kommentare. Sprachen: de + en.

Bitte loggen Sie sich ein, um kommentieren zu können.

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!