Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
CVE-2022-4974: Freemius SDK used in WordPress plugins and themes exposes sensitive data
CVE-2022-4974
Summary
Hundreds of WordPress plugins and themes are affected. If exploited, this vulnerability could allow attackers to access sensitive information or take control of your website without your permission. Update to Freemius SDK version 2.4.3 or later to protect your website.
Original title
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce pr...
Original description
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
nvd CVSS3.1
6.3
Vulnerability type
CWE-862
Missing Authorization
- https://freemius.com/blog/managing-security-issues-open-source-freemius-sdk-secu...
- https://web.archive.org/web/20220225174410/https%3A//www.pluginvulnerabilities.c...
- https://wpdirectory.net/search/01FWPVWA7BC5DYGZHNSZQ9QMN5
- https://wpdirectory.net/search/01G02RSGMFS1TPT63FS16RWEYR
- https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-4c62b9f12d0a
- https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0d...
Published: 16 Oct 2024 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026