cbcvebase.
CVE-2022-4974
published 2024-10-16

CVE-2022-4974: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to…

PriorityP278medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.42%
34.0th percentile
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Affected

559 ranges· showing 25
VendorProductVersion rangeFixed in
5starpluginseasy_age_verify< 1.6.11.6.1
5starpluginsfeatured_images_in_rss_for_mailchimp_more< 1.5.91.5.9
5starpluginsmarijuana_age_verify< 1.3.11.3.1
9brada6tabs_with_recommended_posts
actuaryzaskazw_woocommerce_file_uploads
aguilerasoftconversion_de_moneda_woocommerce
aharonyanguest_posting_frontend_posting_front_editor_wp_front_user_submit< 3.4.13.4.1
ahmed17cf7_constant_contact_fields_mapping
ahmed17menu_item_scheduler
ahmed17rw_divi_unite_gallery<= 1.0
akdevsgenealogical_tree_family_tree_ancestry_for_wordpress<= 2.1.5
alex-yebbresolutions
alexmossopensea< 1.0.31.0.3
alleythemesalley_business_toolkit< 1.1.81.1.8
alphabposerviceeasy_code_snippets< 1.0.11.0.1
alphabposerviceeasy_math_captcha_for_cf7
alphabposerviceeasy_newsletter_signups< 1.0.41.0.4
alphabposerviceeasy_post_views_count< 1.0.51.0.5
anasbinmukimmailchimp_manager
andyabelowmedia_library_file_download< 1.11.1
anfrageformularanfrageformular_multi_step_drag_drop_formular_builder_leadgenerierung
ankitmaruadvanced_page_visit_counter_most_wanted_analytics_plugin_for_wordpress< 6.0.06.0.0
annastaaannasta_filters_for_woocommerce< 1.5.01.5.0
anssilaitilacontact_list_online_staff_directory_address_book< 2.9.502.9.50
anssilaitilashared_files_frontend_file_upload_form_secure_file_sharing< 1.6.721.6.72

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vulncheck6.3MEDIUM
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.