Unauthorised AJAX Calls via Freemius

  • According to WPScan there’s a known vulnerability on your plugin. I was wondering when is it going to be fixed?

    Unauthorised AJAX Calls via Freemius
    Description

    The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in admin toggle the debug mode via a CSRF attack.

    Proof of Concept

    The PoC will be displayed on March 14, 2022, to give users the time to update.

    Source: https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-4c62b9f12d0a

  • The topic ‘Unauthorised AJAX Calls via Freemius’ is closed to new replies.