FooPlugins was recently made aware of a security vulnerability across our plugins. This issue, however, has been fixed in the latest update for all plugins. This includes the free and premium versions of FooGallery, FooBox and FooBar.

If you’re using one of our plugin and haven’t yet done so, we recommend that you update to the latest version.

What Was The Vulnerability?

We were recently notified of a security issue in the Freemius SDK. Freemius is the platform we use to distribute and license our plugins, so when you download the free version, or purchase a Pro plugin from us, the plugin contains the Freemius SDK. This means that all of our plugins were at potential risk.

However, the security issue was dealt with very quickly by Freemius who promptly released a patch to their SDK. FooPlugins has since implemented the patch in our latest update, thereby fixing the vulnerability.

Below is a quick summary of the security vulnerability, as reported by Freemius. For more details, you can read the full account here.

  • The reported security issues are not weakening the security of WordPress websites. Meaning, even if a website is running a non-patched SDK version, it does not make the site more vulnerable to attacks.
  • The central issue allows WP logged-in users to turn the SDK’s debug mode on, which can potentially expose some Freemius-related sensitive variables — like an opted-in email address and API keys.
  • If the option to register on a WordPress site is disabled, assuming there are no hackers among the website’s existing users, there’s nothing to worry about.
  • Even if there is an option to register, if there was no opt-in nor license activation — i.e., a free plugin/theme that uses Freemius and an admin skipped the opt-in — there’s also nothing to worry about.
  • If an option for users to register is active and a license was activated, the API keys of the user can be obtained by an attacker, which will potentially allow them to access the license owner’s information on Freemius. However, there’s no risk of obtaining credit card numbers; the most sensitive information a hacker can get is the license keys and invoices associated with the account.
  • To leverage the vulnerability, an attacker would need to attack a site per account. So realistically, unless an attacker is targeting a specific WordPress site, the potential gain doesn’t seem to be worth the effort, and therefore it is likely that the chance someone can coordinate an attack at scale to abuse this weakness is extremely slim.
  • However, if a site is not running a patched release, updating to the latest version is important and we urge you to do so.

Why Wait To Disclose?

As we mentioned above, we were notified about this issue before now. But we decided not to announce the vulnerability earlier for several reasons.

Firstly, and as Freemius has mentioned in their report about the issue, disclosing a security issue early on is not good practice. It does not give anyone, including us or our users, time to update before the issue becomes public knowledge. Aside from this, announcing a security threat before there is a fix puts your websites at risk unnecessarily. We did not want to do this.

We also wanted to ensure that our plugins were properly updated before disclosing the vulnerability, so that our users would then be able to update quickly. As our plugins all now include the patch, you can update to the latest version to ensure that you are not exposed to any potential risk.

Security Fix

The latest versions of all of our plugins now include the security fix. To ensure that your plugins do not pose a potential risk, we strongly recommend that you update to the latest version.

The latest plugin versions are as follows:

  • FooGallery (Free and Pro): v2.1.34
  • FooBox (Free and Pro): v2.7.23
  • FooBar (Free and Pro): v2.1.15

While this is unfortunate, we realise that it may have caused concern or inconvenience, and for this we are sorry. We also want to ensure you again that we have addressed the issue in the latest updates for all of our plugins, so we do recommend updating as soon as possible.

In general terms, keeping all of your plugins up to date is an important factor when it comes to maintaining your site and your site’s security. For this reason, we encourage our users to update our plugins whenever a new version is released. If you have a premium plugin, then one of the things your annual payment includes is these updates – so please make the most of this and update your plugins regularly.