CVE-2022-4974

Freemius SDK <= 2.4.2 - Missing Authorization Checks

mediumMissing Authorization

6.3

CVSS Score

6.3

CVSS Score

medium

Severity

1.4.6

Patched in

1260d

Time to patch

Description

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Low

Confidentiality

Low

Integrity

Low

Availability

Technical Details

Affected versions<1.4.6

PublishedMarch 4, 2022

Last updatedAugust 14, 2025

Affected pluginrestaurant-cafe-addon-for-elementor

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database