- Published on
-
Oct 16, 2024
- Research Description
-
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
Min -, max 1.3.2.
| Previous vulnerability researches |
|
WPBITS Addons For Elementor Page Builder
(CVE-2024-4862)
, Jul 10, 2024
|
|
WPBITS Addons For Elementor Page Builder
(CVE-2024-8962)
, Dec 06, 2024
|
|
WPBITS Addons For Elementor Page Builder
(CVE-2024-37945)
, Jul 14, 2024
|
|
WPBITS Addons For Elementor Page Builder
(CVE-2024-2129)
, Jun 06, 2024
|
|
WPBITS Addons For Elementor Page Builder
(CVE-2024-32593)
, Jun 06, 2024
|
| New vulnerability |
|
Zephyr Admin Theme
(CVE-2025-22814)
, Jan 10, 2025
|
|
Responsive Flickr Slideshow
(CVE-2025-22807)
, Jan 10, 2025
|
|
Action Network
(CVE-2024-12394)
, Jan 10, 2025
|
|
SimplyRETS Real Estate IDX
(CVE-2024-12491)
, Jan 10, 2025
|
|
SKT Page Builder
(CVE-2024-12848)
, Jan 10, 2025
|