CVE-2022-4974 MEDIUM

CVE-2022-4974: Freemius SDK <= 2.4.2 - Missing Authorization Checks

Vendor Dashlabsltd
Product YASR – Yet Another Star Rating Plugin for WordPress
Weakness CWE-862 · Missing authorization
Published October 16, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Key dates

02Disclosure timeline

October 16, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-23906 WordPress WordPress Dashboard Tweeter plugin <= 1.3.2 - Settings Change vulnerability CVE-2025-24577 WordPress Poll Maker plugin <= 5.5.0 - Broken Access Control vulnerability CVE-2025-62935 WordPress Open Close WooCommerce Store plugin <= 5.0.0 - Broken Access Control vulnerability CVE-2026-4650 FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler CVE-2023-0556 ContentStudio <= 1.2.5 - Missing Authorization