Freemius SDK < 2.5.10 – Reflected Cross-Site Scripting

Affects Plugins

better-sharing

Fixed in 2.0.7

variable-product-swatches

No known fix

restrict-user-access

Fixed in 2.4.3

wp-media-category-management

Fixed in 2.1.3

cloud-sso-single-sign-on

Fixed in 1.0.14

wupo-group-attributes

Fixed in 2.3.3

feedbackscout

No known fix

all-in-one-video-downloader

No known fix

total-cost-input-for-woocommerce

Fixed in 1.0.1

Fixed in 1.0.3

Fixed in 1.6.2

Fixed in 3.3.0

No known fix

woocommerce-store-toolkit

Fixed in 2.3.9

best-woocommerce-feed

Fixed in 3.0

quiz-cat

Fixed in 1.2.0

wcc-seo-keyword-research

No known fix

elements-for-lifterlms

No known fix

utilitify

Fixed in 1.0.9

full-picture-analytics-cookie-notice

Fixed in 5.0.0

No known fix

No known fix

No known fix

No known fix

No known fix

No known fix

No known fix

fusionspan-impexium-single-sign-on

No known fix

easy-caller-with-moceanapi

No known fix

popups

Fixed in 1.8

xt-woo-quick-view-lite

Fixed in 2.0.0

drag-and-drop-form-builder-for-contact-form-7

Fixed in 1.2.6

subaccounts-for-woocommerce

Fixed in 1.4.0

internal-comments

No known fix

primary-addon-for-elementor

Fixed in 1.5.3

starcat-review

No known fix

twentyfourth-wp-scraper

No known fix

blocksy-companion

Fixed in 1.8.47

demomentsomtres-gravity-forms-improvements

Fixed in 201704251008

caldera-forms

Fixed in 1.7.5.1

wpgt-google-translate

No known fix

auto-install-free-ssl

Fixed in 3.6.0

station-pro

Fixed in 2.3.4

relicwp-helper

No known fix

wordlive-livecall-addon-for-woocommerce

No known fix

wp-table-pixie

Fixed in 1.2.0

event-tickets

Fixed in 5.6.0

custom-tabs-for-products-woocommerce

No known fix

woo-paylate

Fixed in 1.5

co2ok-for-woocommerce

Fixed in 2.0.4

woo-seo-addon

Fixed in 2.1.6

woo-wholesale-pricing

No known fix

goon-plugin-control

No known fix

frontend-group-restriction-for-learndash

No known fix

clinicalwp-core

No known fix

really-simple-featured-video

Fixed in 0.7.2

wc-cross-seller

No known fix

widget-for-eventbrite-api

Fixed in 5.3.1

woo-floating-cart-lite

Fixed in 2.7.4

Fixed in 2.5

Fixed in 3.5.1

No known fix

Fixed in 1.8.8

No known fix

Fixed in 2.1

floating-awesome-button

No known fix

postmatic

No known fix

court-reservation

No known fix

gsheetconnector-easy-digital-downloads

Fixed in 1.6.6

vo-locator-the-wp-store-locator

No known fix

get-directions

Fixed in 2.16.2

supportbubble

No known fix

premmerce-redirect-manager

Fixed in 1.0.10

snazzyadmin-wp-admin-theme

No known fix

linkedin-login

Fixed in 1.1

protect-admin-account

Fixed in 2.0.2

woo-customers-order-history

Fixed in 5.2.2

Fixed in 2.6.3.2

Fixed in 2.1.1

No known fix

No known fix

manage-gravity-forms-stripe-subscriptions

Fixed in 4.1.6

product-shipping-countdown-free-version

No known fix

admin-notices-for-team

No known fix

gsheetconnector-for-elementor-forms

Fixed in 1.0.9

buddyforms-posts-to-posts-integration

Fixed in 1.1.4

admin-user-search

No known fix

advanced-exchange-rates

No known fix

woo-coupons-bulk-editor

Fixed in 1.3.40

woocommerce-google-dynamic-retargeting-tag

Fixed in 1.7.17

woo-advance-search

No known fix

woocommerce-pay-per-post

Fixed in 3.1.11

bbresolutions

No known fix

menu-manager-ultra

Fixed in 1.0.8

sv-gravity-forms-enhancer

No known fix

advance-wc-analytics

Fixed in 3.4.0

bulk-edit-posts-on-frontend

Fixed in 2.4.27

goauth

No known fix

wc4bp-groups

Fixed in 1.1.1

tk-smugmug-slideshow-shortcode

No known fix

locked-payment-methods-for-woocommerce

No known fix

Fixed in 1.2.0

Fixed in 4.5.21

Fixed in 1.1.6.5

Fixed in 2.23.3

Fixed in 2.1.7

No known fix

payments-stripe-gateway

No known fix

contact-widgets-for-elementor

No known fix

Fixed in 3.3.10

Fixed in 2.1.9

Fixed in 3.2

No known fix

No known fix

Fixed in 1.9.3

pro-links-maintainer-dev

No known fix

content-blocks-builder

Fixed in 2.3.17

wpformify

No known fix

octrace-support

Fixed in 1.2.5

advanced-easy-shipping-for-wc-lite

No known fix

walker-core

Fixed in 1.3.6

simple-youtube-gdpr

No known fix

modern-designs-for-gravity-forms

No known fix

rankbear

No known fix

wp-travel

Fixed in 4.2.0

stax

No known fix

miguras-divi-enhancer

No known fix

fast-checkout-for-woocommerce

No known fix

multilist-subscribe-for-sendy

No known fix

woocommerce-payplug

No known fix

campation-postoffice

No known fix

wpcs-content-scheduler

No known fix

w3s-cf7-zoho

No known fix

wp-letsencrypt-ssl

Fixed in 6.3.0

magic-login-api

No known fix

inavii-social-feed-for-elementor

Fixed in 2.1.3

buddyforms-hook-fields

Fixed in 1.3.2

alley-business-toolkit

No known fix

premmerce-woocommerce-product-filter

Fixed in 3.7.2

social-lite

Fixed in 1.3.0

wp-search-filter

No known fix

woo-order-status-per-product

No known fix

chamber-dashboard-business-directory

Fixed in 3.3.2

social-kit

No known fix

windsor-strava-athlete

No known fix

post-slider-and-carousel

Fixed in 3.2.1

wpeform-lite

Fixed in 1.6.5

hm-multiple-roles

Fixed in 1.9

woocommerce-delivery-date

No known fix

commenting-feature

Fixed in 3.2

coming-soon-master

Fixed in 1.1

alt-manager

Fixed in 1.5.7

bsd-woo-stripe-connect-split-pay

Fixed in 3.2.10

Fixed in 2.2.4

Fixed in 2.5.2

Fixed in 1.2.36

Fixed in 1.5.4

Fixed in 1.0.7

No known fix

Fixed in 1.1.6

No known fix

woo-bulk-edit-products

Fixed in 1.8.3

da-reactions

Fixed in 4.0.4

food-store

Fixed in 1.4.7.5

checkout-freemius-rewamped

Fixed in 2.0.1

pods

Fixed in 2.8.0

abeta-punchout

Fixed in 1.0.0

embedder-for-google-reviews

Fixed in 1.5.11

super-notes

No known fix

wootrello

No known fix

page-builder-sandwich

No known fix

hm-logo-showcase

Fixed in 2.0.4

wp-stripe-express

Fixed in 1.12.1

woowgallery

Fixed in 1.2.0

import-holded-products-woocommerce

Fixed in 2.0

woo-nmi-three-step

No known fix

order-redirects-for-woocommerce

Fixed in 0.8.1

product-price-history

Fixed in 2.1.5

wcsm-search-merchandising

No known fix

upfiv-complete-all-in-one-seo-wizard

No known fix

video-reviews

Fixed in 1.3.5

greenshift-animation-and-page-builder-blocks

Fixed in 4.3

restaurant-cafe-addon-for-elementor

Fixed in 1.4.8

References

CVE

CVE-2023-33999

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

9f01090f-df5b-4d9e-bc4d-fac9150fdfe6

Timeline

Publicly Published

2023-07-18 (about 4 months ago)

Added

2023-07-25 (about 4 months ago)

Last Updated

2023-11-15 (about 16 days ago)

Other

Published

Title

Published

2014-11-13

Title

Passwordless Login Plugin - Multiple Input XSS

Published

2023-02-02

Title

Show-Hide / Collapse-Expand < 1.3.0 - Contributor+ Stored XSS via Shortcode

Published

2022-01-05

Title

SupportCandy < 2.2.7 - Contributor+ Stored Cross-Site Scripting

Published

2022-06-23

Title

Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting

Published

2023-06-05

Title

KiviCare Management System < 3.2.1 - Reflected Cross-Site Scripting