Freemius WordPress SDK used by 7M sites is vulnerable to XSS attack (CVE-2023-33999)
Security analysts at Patchstack have discovered that the popular plugin is vulnerable to CVE-2023-33999. This security vulnerability identified in the Freemius WordPress SDK (versions 2.5.9 and below) has set alarm bells ringing in the WordPress community, potentially impacting the over 7 million sites that rely on the thousands of plugins and themes that use this SDK.
The Freemius WordPress SDK is a software development kit (SDK) that serves as an integral part of the most popular managed eCommerce platform for selling WordPress plugins and themes – Freemius. It’s a software library that effectively integrates Freemius services with WordPress plugins and themes products. Developers worldwide use it as a springboard to sell and license their products efficiently. But, a recent flaw in this SDK has brought the spotlight on it for the wrong reasons.
This specific vulnerability, tagged as CVE-2023-33999, is a site-wide Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability could potentially enable any unauthenticated user to steal sensitive information or even escalate privileges on the WordPress site. The malicious attacker could, for instance, trick an administrator or another privileged user into visiting a crafted URL that exploits this vulnerability.
The root of this vulnerability lies in the insufficient implementation of input sanitization and output escaping within the user input handling code. Essentially, the checks and measures that should be in place to ensure malicious code isn’t sneaked in via user inputs are missing or not adequately implemented.
Fortunately, the silver lining to this looming cloud is here – the developers have addressed this vulnerability in the Freemius WordPress SDK version 2.5.10, patching up the security flaw and ensuring the platform’s safety. Up to now, no attacks have been reported that specifically target this vulnerability, but it is always better to be safe than sorry.
If you’re a vendor with a plugin or theme that utilizes the Freemius SDK library, the recommendation is loud and clear – please update your SDK library to at least version 2.5.10.
Image: Freemius
What sets Freemius WordPress SDK apart is the unique mechanism embedded within our SDK that automatically uses the latest version. This feature means that even if a website actively utilizes multiple plugins/themes that use Freemius, it is sufficient if one of those plugins/themes uses the fixed SDK.
Administrators can easily verify if a website has already been patched by following these steps:
1. Visit /wp-admin/admin.php?page=freemius on your website.
2. Check the ‘Active SDK version.’
3. Ensure that it displays ‘2.5.10’ or a higher version.
