Unauthorised AJAX Calls via Freemius

2022-02-2800:00:00

wpscan.com

The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in admin toggle the debug mode via a CSRF attack.

PoC

To access debug logs, as any authenticated user: https://example.com/wp-admin/admin-ajax.php?action=fs_get_debug_log

CPENameOperatorVersion
fin-accounting-for-woocommercelt4.4.3
gsheetconnector-ninja-formslt1.2.2
petslt1.4.1
starcat-reviewlt0.8
fast-wpeq*
auto-robotlt3.3.39
wp-bing-searchlt2.4
f4-treelt1.1.9
next-order-coupon-woocommerceeq*
checkboxlt0.8.4

Name	Operator	Version
fin-accounting-for-woocommerce	lt	4.4.3
gsheetconnector-ninja-forms	lt	1.2.2
pets	lt	1.4.1
starcat-review	lt	0.8
fast-wp	eq	*
auto-robot	lt	3.3.39
wp-bing-search	lt	2.4
f4-tree	lt	1.1.9
next-order-coupon-woocommerce	eq	*
checkbox	lt	0.8.4

Rows per page:

1-10 of 4401

JSON