Freemius Still Hasn’t Resolved All the Security Issues in Their SDK Library
In a blog post last year, Freemius bizarrely criticized us for not working with them to fix vulnerabilities in their library that ships with many WordPress plugins, while linking to a post from the year before where they admitted to having been the ones refusing to work with us. The post last year revolved around them belatedly addressing a security issue that we had tried to address with them the year before. They also criticized us for publicly disclosing vulnerabilities we had discovered during a security review of a plugin using it, instead of allowing competitors to disclose them instead. (In a previous incident, they accused us of full disclosure of a vulnerability, despite us only knowing about it because it had already been exploited and fixed.) In both posts they derisively referred to those in the security industry as “trolls”. That type of behavior shouldn’t be acceptable in the WordPress community.
Unsurprisingly, considering Freemius’ abusive attitude towards the security industry and their unwillingness to take responsibility for their continued poor handling with security, they still haven’t gotten all the security issues resolved related to what we brought up with them two years ago.
We are in the process of surfacing more information on libraries included in plugins to our new Plugin Security Scorecard. As part of that, we went back to look to see if Freemius had resolved everything we had raised with them before. In doing that, we noticed a fairly glaring issue that still hasn’t been addressed.
When logged in to WordPress as an Administrator with a plugin using the Freemius library, you can access a Freemius Debug page by accessing a specific URL. On that page are several buttons:
If you were to click one of those, Clear Updates Transients, the action then taken only happens if you are accessing that page, so you have be an Administrator, and if a valid nonce is provided (to prevent cross-site request forgery (CSRF)):
3841 3842 | } else if ( fs_request_is_action( 'clear_updates_data' ) ) { check_admin_referer( 'clear_updates_data' ); |
By comparison, clicking the button to the left of that, Clear API Cache, runs when the library loads, so it doesn’t even require being logged in to access, and there isn’t a nonce check. That occurs in the constructor function for the library, __construct() in the file /includes/class-freemius.php. Here are the relevant lines missing a nonce check, unlike the other action:
542 543 544 545 546 | if ( 'true' === fs_request_get( 'fs_clear_api_cache' ) || fs_request_is_action( 'restart_freemius' ) ) { FS_Api::clear_cache(); $this->_cache->clear(); |
Clicking that button is the only place in the library that calls that code, so it is intended to be accessed by Administrators, but isn’t properly secured.
While it doesn’t look like this leads to any serious issue, it should be secured. It also suggests that the developer of the library still hasn’t tried to fully secure it. And if there ever has been a thorough security review of the library itself (our review focused on the security of it in the context of the plugin we were checking), the issues have not been addressed by them.
While a lot of the blame for this falls on Freemius, which is a for-profit company, there are also that many WordPress plugins, with millions of installs, that continue to use the library despite the failure of it being fully secured. That includes several fairly popular security plugins: WP fail2ban, WP Encryption, and Security Ninja. Either the developers of those security plugins haven’t reviewed the security of the library, which they should have, or Freemius didn’t address the issues and the developers of those plugins continued to use it anyway.
Our Plugin Security Scorecard is warning about plugins that contain a vulnerable version of the Freemius SDK library. Separately that tool also lists if plugins contains the library, which people might want to consider when deciding whether to use a plugin.
Concerned About The Security of the Plugins You Use?
When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.Plugin Security Scorecard Grade for Security Ninja
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for WP Encryption
Checked on August 9, 2024See issues causing the plugin to get less than A+ grade