Themes Vulnerabilities

Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting

Description

The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK.

Affects Themes

bootstrap-fitness
Fixed in 1.0.6
patch-lite
No known fix
julia-lite
No known fix
videoblog
No known fix
corporate-event
No known fix
consultpress-lite
No known fix
elasta
Fixed in 1.0.9
bingopress
No known fix
yuki
Fixed in 1.3.8
one-page-conference
No known fix
lifestyle-magazine
Fixed in 10.2.1
wp-moose
No known fix
travel-tour
Fixed in 1.2.0
chained
No known fix
travel-agency-booking
No known fix
pixigo
No known fix
brasserie
No known fix
viralike
No known fix
medicpress-lite
No known fix
eighteen-tags
Fixed in 3.1.1
cyclone-blog
No known fix
speculor
No known fix
fortune
No known fix
rovenstart
Fixed in 1.2.2
start
No known fix
gym-express
No known fix
everse
Fixed in 1.8.10
simplifii
No known fix
nokke
Fixed in 1.2.3
totalpress
No known fix
krste
No known fix
shuban
No known fix
edupress
No known fix
broadcast-lite
Fixed in 2.0.7
bootstrap-photography
No known fix
wellness
No known fix
bani
No known fix
ona
Fixed in 1.18.3
wpcake
No known fix
temp-mail-x
No known fix
hive-lite
No known fix
purosa
Fixed in 1.1.3
wp-sierra
No known fix
saleszone
No known fix
gema-lite
No known fix
gutenbook
No known fix
meridia
Fixed in 2.2.8
brand
No known fix
the-authority
No known fix
hotelica
No known fix
aquarella-lite
No known fix
bootstrap-coach
Fixed in 1.1.2
villar
No known fix
learnmore
No known fix
topcat-lite
No known fix
fire-blog
No known fix
suffice
Fixed in 1.1.6
agncy
No known fix
wp-forge
No known fix
chic-lifestyle
Fixed in 10.0.8
bootstrap-blog
Fixed in 10.2.3
silk-lite
No known fix
g-blog
No known fix
nasio
No known fix
relax-spa
Fixed in 1.1.1
purus
No known fix
salzburg-blog
No known fix
baton
No known fix
nichebase
Fixed in 1.2.3
dostart
No known fix
elation
No known fix
cuisine-palace
No known fix
techism
No known fix
arendelle
Fixed in 1.1.11
monograph
No known fix
wp-magazine
No known fix
hasium
No known fix
news-unlimited
No known fix
amela
Fixed in 1.0.12
bloghub
No known fix
blockst
Fixed in 1.0.8
unakit
Fixed in 1.2.5.3
deadline
No known fix
newshit
Fixed in 1.0.7
gump
No known fix
bizpress
No known fix
whimsy-framework
No known fix
roven-blog
Fixed in 1.0.4

References

CVE
CVE-2023-33999

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
724786f8-1cd7-4d63-a124-9b560de112c2

Timeline

Publicly Published
2023-07-18 (about 9 months ago)
Added
2023-07-25 (about 9 months ago)
Last Updated
2024-01-24 (about 3 months ago)

Other

Published
Title
Published
2023-03-20
Title
FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
Published
2022-06-21
Title
CDI < 5.1.9 - Reflected Cross-Site-Scripting
Published
2018-12-13
Title
WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
Published
2014-08-01
Title
GroupDocs Document Annotation 1.3.8 - options.php Multiple Parameter XSS
Published
2014-08-01
Title
cleeng <= 2.3.2 - XSS in ZeroClipboard