Freemius SDK up to 2.0.1 on WordPress _get_debug_log/_get_db_option/_set_db_option cross-site request forgery

Summaryinfo

A vulnerability was found in Freemius SDK up to 2.0.1 on WordPress. It has been rated as problematic. The impacted element is the function _get_debug_log/_get_db_option/_set_db_option. The manipulation leads to cross-site request forgery. This vulnerability is referenced as CVE-2022-4974. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Freemius SDK up to 2.0.1 on WordPress. This issue affects the function _get_debug_log/_get_db_option/_set_db_option. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is integrity. The summary by CVE is:

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

It is possible to read the advisory at wordfence.com. The identification of this vulnerability is CVE-2022-4974 since 10/15/2024. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 2.0.2 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Affected

• YASR – Yet Another Star Rating Plugin for WordPress
• Events Addon for Elementor
• Fraud Prevention For WooCommerce and EDD
• Gutenberg Blocks – ACF Blocks Suite
• Ultimeter
• Past Events Extension
• Pootle Pagebuilder – WordPress Page builder
• Local Delivery Drivers for WooCommerce
• Ultimate Gutenberg – Custom Block Templates
• WP Required Taxonomies – Categories and Tags Mandatory
• Featured Products First for WooCommerce – A Extension of WooCommerce (WooCommerce Addon Plugin)
• SSL Certificate – Free SSL, HTTPS by SSL Zen
• Streak CRM For Gmail For Contact Form 7 – WordPress Plugin
• WordPress Dev Powers – ACF Color Coded Field Types Plugin
• DancePress (TRWA)
• Product Size Charts Plugin for WooCommerce
• Wp My Admin Bar
• A no-code page builder for beautiful performance-based content
• LocalSEOMap
• Easy Prayer
• AdFoxly – Ad Manager, AdSense Ads & Ads.txt
• WP Get Personal
• Checkout with Cash App on EDD
• Server Info
• Custom WooCommerce Checkout Fields Editor
• KRSP Frontend File Uploader
• Panorama Viewer- Best Plugin to Display Panoramic Images/Videos
• Bulk Attachment Download
• AutoSave Net
• Premmerce Wholesale Pricing for WooCommerce
• Any Popup – Popup Forms, Optins & Ads
• Checkout with Venmo on EDD
• Payment gateway per Product for WooCommerce
• HQTheme Extra
• Vit Website Reviews
• WooCommerce EU VAT Assistant
• WordPress Slider Block Gutenslider
• HuCommerce | Magyar WooCommerce kiegészítések
• KVoucher
• Video Player for YouTube
• Error Log Monitor
• SlideDeck: Responsive WordPress Slider Plugin
• Premmerce Multi-currency for Woocommerce
• Booking Addon for WooCommerce
• WP Event Partners – WordPress Plugin for Event and Conference Management
• WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square Plugin
• Add Expires Headers & Optimized Minify
• ForceField
• FIT: Featured Image Toolkit
• All in One Invite Codes
• Dynamic Pricing and Discount Rules for WooCommerce
• Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
• Grid & Styler For Contact Form 7 And Divi
• Protect Uploads with Login – Protect Your Uploads
• Atlas – Knowledge Base
• Simple Sitemap – Create a Responsive HTML Sitemap
• Super Video Player- Best WordPress Video Display Plugin for mp4/OGG
• WordPress Books Gallery
• FiboSearch – Ajax Search for WooCommerce
• Tag Groups is the Advanced Way to Display Your Taxonomy Terms
• WP Free SSL – Free SSL Certificate for WordPress and force HTTPS
• ClickerVolt – Affiliate Links & Click Tracking for Performance Marketers
• ConsultPress Lite
• Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7
• StreamWeasels Twitch Integration
• Mobile View for Responsive web design optimization (UX design) + Mobile Friendly Test
• Zip Code Redirect
• Guestofy – Restaurant Reservations Plugin, Room Planer, Reservation Form
• CF7 Constant Contact Fields Mapping
• Booking Calendar | Appointment Booking | Bookit
• EthereumICO
• RT Easy Builder – Advanced addons for Elementor
• WP Contact Slider
• Country Based Payments for WooCommerce
• Filr – Secure document library
• Elasta
• MapGeo – Interactive Geo Maps
• WordPress Animation Plugin – Animated Everything
• WP Notification Bell
• Activity Log For MainWP
• Connected Sermons
• Bulk Edit and Create User Profiles – WP Sheet Editor
• Кнопка ЮMoney
• Bulk WooCommerce Category Creator
• Easy Math Captcha for CF7
• Master Accordion ( Former WP Awesome FAQ Plugin )
• Better Elementor Addons
• Elementor Addons by Livemesh
• Place Order Without Payment for WooCommerce
• STEWoo – Super Transactional Emails for WooCommerce
• DeMomentSomTres Address
• Out of stock display for woocommerce
• Ultimate Blocks – WordPress Blocks Plugin
• Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)
• WP Radio – Worldwide Online Radio Stations Directory for WordPress
• BookPress – For Book Authors
• Qyrr – simply and modern QR-Code creation
• WordPress Directory Plugin For Business Listings – WP Local Plus
• Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors
• Funnelmentals
• Blockspare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
• Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook
• Product Carousel For WooCommerce – WoorouSell
• WordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & Rankings
• GFireM Fields
• Coupon Affiliates – Affiliate Plugin for WooCommerce
• WP Post Block
• LMS Plugin – eLearning, Online Courses by Attest
• Frontend Admin by DynamiApps
• Simple Giveaways – Grow your business, email lists and traffic with contests
• WPTools Masonry Gallery & Posts For Divi
• GFireM Action After
• Woo Ukrposhta
• annasta Woocommerce Product Filters
• WP Lead Stream
• The Events Calendar
• Focus on Reviews for WooCommerce
• Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)
• Block Styler For Gravity Forms
• WP Page Templates
• Product Customer List for WooCommerce
• WP Moose
• Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More
• Floating Social Share Icons and Social Share buttons – Next Previous Post Links – FL
• South Pole: Climate action now
• LittleBot Invoices
• Genealogical Tree – WordPress Family Tree
• Automatic YouTube Gallery
• Thank You Page for WooCommerce
• Marijuana Age Verify
• WooCommerce upcoming Products
• Frontend Admin – Add and edit posts, pages, users and more all from the frontend
• SV Tracking Manager
• WP EasyPay – Square for WordPress
• WordPress SEO Checklist
• wGauge – Free Version
• Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)
• Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
• WP Tools Divi Product Carousel
• Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
• Social Gallery Lite
• Stackable – Page Builder Gutenberg Blocks
• Five-Star Ratings Shortcode
• CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress
• Premmerce Wishlist for WooCommerce
• Salon Booking System
• Surbma | GDPR Proof Cookie Consent & Notice Bar
• Advance Menu Manager
• Live TV Player – Worldwide Live TV Channels Player for WordPress
• Market Exporter
• WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer
• TK Google Fonts GDPR Compliant
• Starfish Review Generation & Marketing for WordPress
• WP Emaily
• Education Addon for Elementor
• SV Proven Expert
• SurveyFunnel – Survey Plugin for WordPress
• Advanced Classifieds & Directory Pro
• Music Player for Elementor – Audio Player & Podcast Player
• Cryptocurrency Product for WooCommerce
• WooCommerce Next Order Coupon
• Overlay Image Divi Module
• Email Header Footer
• Document Viewer- Plugin to Display MS Office Docs
• Price Bands for WooCommerce
• Elementor Addon Elements
• Smart Variations Images & Swatches for WooCommerce
• Featured Images in RSS for Mailchimp & More
• Simple Sponsorships
• Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
• Joli Table Of Contents
• Sparrow: Product Reviews and Ratings for WooCommerce
• Multi Page Auto Advance for Gravity Forms
• Generate Images – Magic Post Thumbnail
• Live Scores for SportsPress
• Hide Shipping Method For WooCommerce
• Ultimate Carousel For Divi
• WP Meta and Date Remover
• Image Carousel For Divi
• Comments Not Replied To
• Contact Form 7 – Capsule CRM – Integration
• Opensea
• WordPress Translation plugin for Post, Pages & WooCommerce products. Tranzly IO AI DeepL automatic WordPress Translator.
• Pixel Manager for WooCommerce – Track Google Analytics, Google Ads, TikTok and more
• Modern Addons for Elementor Page Builder
• Viralike
• WordPress Dev Powers – Element Selector jQuery Powers Plugin
• WP Munich Blocks – Gutenberg Blocks for WordPress
• Availability datepicker – Integrate with Contact Form 7 and Divi
• Footer Plugin for Divi
• Accept Stripe Donation and Payments – AidWP
• New User Approve
• GFireM Advance Search
• WPMailer – The best mail builder, No More Core for your emails support Elementor, CF7 forms etc…
• Shared Files – Frontend File Upload Form & Secure File Sharing
• WPBITS Addons For Elementor Page Builder
• Speculor
• WP Google Street View (with 360° virtual tour) & Google maps + Local SEO
• WordPress Everse Starter Sites – Elementor Templates
• Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
• Choice Payment Gateway for WooCommerce
• Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)
• Order and Inventory Manager for WooCommerce
• Ninja Libs Amazon SES
• Delete All Comments of wordpress
• WP-Cron Status Checker
• CodeKit – Custom Codes Editor
• FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
• Change Price Title for WooCommerce
• WordPress Gallery Plugin – Edge Photo Gallery
• Glorious Services & Support
• Easy Newsletter Signups
• Announcement & Notification Banner – Bulletin
• Advanced Database Replacer
• Multisite Robots.txt Manager
• Simple Social Page Widget & Shortcode
• WooCommerce Country Catalogs – Product Country Restrictions
• Front End PM
• Ultimate Divi Modules Suite – Divi Sumo Lite
• XT Points & Rewards for WooCommerce
• Widgets for WooCommerce Products on Elementor
• Delivery for WooCommerce
• WP SMS Plugin – WordPress SMS Two Factor Authentication – 2FA, Two Factor, OTP SMS and Email
• Security Ninja – Secure Firewall & Secure Malware Scanner
• TinyMCE Annotate
• Justified Gallery
• Book BuyBack Prices
• Fuse Social Floating Sidebar
• WP-HR Manager: The Human Resources Plugin for WordPress
• Emails Blacklist for Everest Forms
• All-in-One Video Gallery
• Woo Admin Product Notes
• Remove Add to Cart WooCommerce
• Checkout with Zelle on Woocommerce
• WP Tools Gravity Forms Divi Module
• Everse
• Run time Image resizing
• Rest Routes – Custom Endpoints

Productinfo

Type

• WordPress Plugin

Name

• Freemius SDK

Version

• 2.0.0
• 2.0.1

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion