Login Sign Up

CVE-2022-4974

6.3 MEDIUM
Authentication Bypass CSRF

📋 TL;DR

This vulnerability in the Freemius SDK allows attackers to perform Cross-Site Request Forgery attacks and access sensitive information due to missing capability checks and nonce protection. It affects hundreds of WordPress plugins and themes that use vulnerable versions of the Freemius SDK. Any WordPress site running affected plugins/themes is potentially vulnerable.

💻 Affected Systems

Products:
  • WordPress plugins and themes using Freemius SDK
Versions: Freemius SDK versions up to and including 2.4.2
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any WordPress plugin or theme that includes the vulnerable Freemius SDK library. Hundreds of plugins/themes are affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify WordPress database options, access debug logs containing sensitive information, and potentially escalate privileges or compromise the entire WordPress installation.

🟠

Likely Case

Unauthorized users accessing debug logs containing plugin/theme configuration data, user information, or other sensitive operational details.

🟢

If Mitigated

With proper web application firewalls and security plugins, most exploitation attempts would be blocked, limiting impact to information disclosure only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages, but the vulnerability itself is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Freemius SDK 2.4.3 and later

Vendor Advisory: https://freemius.com/blog/managing-security-issues-open-source-freemius-sdk-security-disclosure/

Restart Required: No

Instructions:

1. Update all WordPress plugins and themes to latest versions. 2. Specifically ensure any plugin/theme using Freemius SDK is updated to use version 2.4.3 or higher. 3. Check with plugin/theme developers for updates if not available in WordPress repository.

🔧 Temporary Workarounds

Temporary plugin disablement

all

Disable affected plugins/themes until updates are available

wp plugin deactivate [plugin-name]
wp theme deactivate [theme-name]

Web Application Firewall rules

all

Block requests to vulnerable Freemius endpoints

Add WAF rules to block: /wp-admin/admin-ajax.php?action=fs_*_get_debug_log
Add WAF rules to block: /wp-admin/admin-ajax.php?action=fs_*_get_db_option
Add WAF rules to block: /wp-admin/admin-ajax.php?action=fs_*_set_db_option

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to prevent CSRF attacks
  • Use WordPress security plugins that provide CSRF protection and capability checking

🔍 How to Verify

Check if Vulnerable:

Check if any installed plugins/themes use Freemius SDK version 2.4.2 or earlier. Review plugin/theme source code for 'freemius' references and version numbers.

Check Version:

grep -r 'freemius' /path/to/wordpress/wp-content/plugins/ /path/to/wordpress/wp-content/themes/ | grep -i version

Verify Fix Applied:

Verify that all plugins/themes have been updated and confirm Freemius SDK version is 2.4.3 or higher in their source code.

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin-ajax.php requests with fs_* actions
  • Multiple failed attempts to access debug logs or database options
  • Unauthorized modifications to wp_options table

Network Indicators:

  • HTTP POST requests to admin-ajax.php with fs_get_debug_log, fs_get_db_option, or fs_set_db_option actions
  • CSRF attack patterns targeting authenticated WordPress sessions

SIEM Query:

source="wordpress.log" AND (action="fs_get_debug_log" OR action="fs_get_db_option" OR action="fs_set_db_option") AND user_capability!="administrator"

📊 Metadata

CVE ID: CVE-2022-4974
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-862
Published: October 16, 2024
Last Updated: October 16, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-4974, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)