CVE-2022-4974 — Missing Authorization in Advanced Page Visit Counter Most Wanted Analytics Plugin FOR Wordpress

CWE-862 — Missing Authorization CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer5 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.2%

top 57.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

559

5starplugins Easy AGE Verify 5starplugins Featured Images IN RSS FOR Mailchimp More 5starplugins Marijuana AGE Verify +556 more

Timeline

PublishedOct 16

Description

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages559 packages

▶CVEListV5kitthemes/wordpress_coupon_plugin_for_bloggers_and_marketers_wp_offers< 1.1.4

▶CVEListV5deothemes/wordpress_everse_starter_sites_elementor_templates< 1.2.1

▶CVEListV5wpjoli/joli_faq_seo_wordpress_faq_plugin< 1.0.4

▶CVEListV5vinod-dalvi/ivory_search_wordpress_search_plugin< 5.4.4

▶CVEListV5wpeka-club/surveyfunnel_survey_plugin_for_wordpress< 1.1.3

🔴Vulnerability Details

GHSA

GHSA-p5fp-r7v7-h5q7: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosur↗2024-10-16

▶

CVEList

Freemius SDK <= 2.4.2 - Missing Authorization Checks↗2024-10-16

▶

VulnCheck

Freemius SDK _get_debug_log, _get_db_option, and the _set_db_option Functions Vulnerability↗2022

▶

📋Vendor Advisories

Red Hat

vim: buffer over-read in scriptfile.c↗2022-05-17

▶