Atomic Edge analysis of CVE-2024-13362:
This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability in the Freemius SDK library (versions 2.10.1 and prior), which is bundled with the Master Addons WordPress plugin (versions 2.0.7.2 and prior). The flaw lies in the trial promotion notice rendering mechanism, where the `trial_promotion_message` filter is applied to a string that was previously concatenated with a raw HTML button. An unauthenticated attacker can inject arbitrary JavaScript into the admin notice by crafting a malicious `url` parameter, which executes when an administrator clicks a crafted link.
The root cause is in `/master-addons/lib/freemius/includes/class-freemius.php`, specifically within the `_add_trial_notice()` method around line 24000. The original code concatenated a user-supplied URL (`$trial_url`) directly into an HTML anchor tag’s `href` attribute inside a sprintf call. The `$trial_url` value originates from the `url` GET parameter passed to the plugin’s admin page. The `apply_filters()` call on line 24015 was applied to the entire message string (including the raw `$button` HTML), but the URL itself was never sanitized or validated before being injected into the markup. The filter function `trial_promotion_message` allows other plugins to manipulate the message, but the core issue is that the unsanitized URL parameter flows directly into a JavaScript-executable context (a hyperlink).
An attacker can exploit this by crafting a URL to a WordPress admin page loaded by the Master Addons plugin, appending a `url` parameter containing a JavaScript payload. For example, an attacker sends a link like `/wp-admin/admin.php?page=master-addons&url=javascript:alert(document.cookie)`. When an administrator clicks this link, the vulnerable Freemius code renders the trial promotion notice with the attacker-controlled `url` value as an `href` attribute. The `javascript:` pseudo-protocol executes the attacker’s script in the context of the admin dashboard. The attack is reflected (not stored) and requires user interaction (the admin must click the link), but no authentication is required to trigger the notice rendering code.
The patch, as shown in the diff for Freemius version 2.11.0, restructures the trial notice generation. The new code on line 24002 removes the user-controlled URL from the direct `sprintf` HTML construction. Instead, it creates a separate message variable (`$message_text`) that filters only the text message and the credit card string (excluding the button). The button is then wrapped in a `
` and appended after the filtered message text. Critically, the patched version does not use the unfiltered `$trial_url` variable in an uncontrolled way within the HTML. The new structure (`
Differential between vulnerable and patched code
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
Code Diff
--- a/master-addons/addons/ma-image-carousel/ma-image-carousel.php
+++ b/master-addons/addons/ma-image-carousel/ma-image-carousel.php
@@ -64,7 +64,7 @@
public function get_script_depends()
{
return [
- 'ma-swiper',
+ 'swiper',
'fancybox',
'master-addons-scripts'
];
@@ -73,7 +73,7 @@
public function get_style_depends()
{
return [
- 'ma-swiper',
+ 'e-swiper',
'fancybox',
'master-addons-main-style'
];
--- a/master-addons/addons/ma-logo-slider/ma-logo-slider.php
+++ b/master-addons/addons/ma-logo-slider/ma-logo-slider.php
@@ -52,7 +52,7 @@
public function get_style_depends()
{
return [
- 'ma-swiper',
+ 'e-swiper',
'jltma-tippy',
'font-awesome-5-all',
'font-awesome-4-shim'
@@ -62,7 +62,7 @@
public function get_script_depends()
{
return [
- 'ma-swiper',
+ 'swiper',
'jltma-popper',
'jltma-tippy',
'master-addons-scripts'
--- a/master-addons/addons/ma-pricing-table/ma-pricing-table.php
+++ b/master-addons/addons/ma-pricing-table/ma-pricing-table.php
@@ -2413,7 +2413,7 @@
}
if (!empty($item['ma_el_pricing_table_tooltip_text'])) {
- $this->add_render_attribute('features', 'data-tippy', '', true);
+ $this->add_render_attribute('features', 'data-tippy', '1', true);
$this->add_render_attribute('features', 'data-tippy-content', $item['ma_el_pricing_table_tooltip_text'], true);
}
--- a/master-addons/addons/ma-team-members-slider/ma-team-members-slider.php
+++ b/master-addons/addons/ma-team-members-slider/ma-team-members-slider.php
@@ -49,12 +49,12 @@
}
public function get_script_depends() {
- return ['ma-swiper', 'gridder', 'master-addons-scripts'];
+ return ['swiper', 'gridder', 'master-addons-scripts'];
}
public function get_style_depends() {
return [
- 'ma-swiper',
+ 'e-swiper',
'gridder',
'font-awesome-5-all',
'font-awesome-4-shim'
@@ -487,10 +487,10 @@
{{WRAPPER}} .jltma-team-member-circle,
{{WRAPPER}} .jltma-team-member-social-left,
{{WRAPPER}} .jltma-team-carousel-wrapper,
- {{WRAPPER}} .swiper-container-fade .swiper-slide,
+ {{WRAPPER}} .swiper-fade .swiper-slide,
{{WRAPPER}} .jltma-team-member-rounded' => 'background: {{VALUE}};',
- '{{WRAPPER}} .gridder .gridder-show' => 'background-color: {{VALUE}};',
- '{{WRAPPER}} #animation_svg_04 circle' => 'fill: {{VALUE}}',
+ '{{WRAPPER}} .gridder .gridder-show' => 'background-color: {{VALUE}};',
+ '{{WRAPPER}} #animation_svg_04 circle' => 'fill: {{VALUE}}',
],
] );
$this->add_control( 'ma_el_team_carousel_content_align', [
--- a/master-addons/addons/ma-tooltip/ma-tooltip.php
+++ b/master-addons/addons/ma-tooltip/ma-tooltip.php
@@ -409,18 +409,18 @@
]
);
- $this->add_control(
- 'jltma_tooltip_arrow',
- [
- 'label' => esc_html__('Arrow', 'master-addons'),
- 'type' => Controls_Manager::SWITCHER,
- 'render_type' => 'none',
- 'frontend_available' => true,
- 'condition' => [
- 'jltma_tooltip_animation!' => 'fill'
- ],
- ]
- );
+ // $this->add_control(
+ // 'jltma_tooltip_arrow',
+ // [
+ // 'label' => esc_html__('Arrow', 'master-addons'),
+ // 'type' => Controls_Manager::SWITCHER,
+ // 'render_type' => 'none',
+ // 'frontend_available' => true,
+ // 'condition' => [
+ // 'jltma_tooltip_animation!' => 'fill'
+ // ],
+ // ]
+ // );
$this->add_control(
'jltma_tooltip_arrow_type',
--- a/master-addons/inc/classes/assets-manager.php
+++ b/master-addons/inc/classes/assets-manager.php
@@ -62,13 +62,7 @@
public function jltma_register_frontend_scripts() {
$suffix = ( defined( 'SCRIPT_DEBUG' ) && SCRIPT_DEBUG ? '' : '.min' );
$jltma_vendor_dir = JLTMA_URL . '/assets/vendor/';
- wp_register_script(
- 'ma-swiper',
- $jltma_vendor_dir . 'swiper/js/swiper-bundle.min.js',
- ['jquery'],
- JLTMA_VER,
- true
- );
+ // wp_register_script('ma-swiper', $jltma_vendor_dir . 'swiper/js/swiper-bundle.min.js', ['jquery'], JLTMA_VER, true);
wp_register_script(
'ma-animated-headlines',
JLTMA_URL . '/assets/js/animated-main.js',
@@ -168,7 +162,7 @@
true
);
// Swiper
- wp_register_style( 'ma-swiper', $jltma_vendor_dir . 'swiper/css/swiper.min.css' );
+ // wp_register_style('ma-swiper', $jltma_vendor_dir . 'swiper/css/swiper.min.css');
// Tippy JS
wp_register_style( 'jltma-tippy', $jltma_vendor_dir . 'tippyjs/css/tippy.css' );
wp_register_script(
--- a/master-addons/inc/modules/glassmorphism/glassmorphism.php
+++ b/master-addons/inc/modules/glassmorphism/glassmorphism.php
@@ -78,8 +78,8 @@
'default' => 20,
'selectors' => [
'{{WRAPPER}}.jltma-glass-effect-yes.elementor-section' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
- '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-column-wrap' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
- '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-widget-container' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
+ '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-widget-wrap' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
+ '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-widget' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
],
'condition' => [
'jltma_enable_glassmorphism_effect' => 'yes'
--- a/master-addons/inc/modules/particles/particles.php
+++ b/master-addons/inc/modules/particles/particles.php
@@ -33,7 +33,7 @@
public function register_controls($element, $section_id, $args)
{
- if (('section' === $element->get_name() && 'section_background' === $section_id) || ('column' === $element->get_name() && 'section_style' === $section_id)) {
+ if (('section' === $element->get_name() && 'section_background' === $section_id) || ('column' === $element->get_name() && 'section_style' === $section_id) || ('container' === $element->get_name() && 'section_background' === $section_id)) {
$element->start_controls_section(
'ma_el_particles',
@@ -214,7 +214,7 @@
public function _before_render($element)
{
- if ($element->get_name() != 'section' && $element->get_name() != 'column') {
+ if ($element->get_name() != 'section' && $element->get_name() != 'column' && $element->get_name() != 'container') {
return;
}
@@ -225,15 +225,16 @@
}
}
+
function _print_template($template, $widget)
{
- if ($widget->get_name() != 'section' && $widget->get_name() != 'column') {
+ if ($widget->get_name() != 'section' && $widget->get_name() != 'column' && $widget->get_name() != 'container') {
return $template;
}
$old_template = $template;
ob_start();
-?>
+ ?>
<div class="jltma-particle-wrapper" id="jltma-particle-{{ view.getID() }}" data-ma-el-pdata=" {{ settings
.ma_el_particle_json }}"></div>
@@ -252,7 +253,6 @@
$settings = $element->get_settings_for_display();
$type = $data['elType'];
$zindex = !empty($settings['ma_el_particle_area_zindex']) ? $settings['ma_el_particle_area_zindex'] : 0;
-
if (('section' === $type) && ($element->get_settings('ma_el_enable_particles') === 'yes')) {
?>
<style>
--- a/master-addons/inc/traits/swiper-controls.php
+++ b/master-addons/inc/traits/swiper-controls.php
@@ -1146,7 +1146,7 @@
'size' => 10
],
'selectors' => [
- '{{WRAPPER}} .swiper-container' => 'padding: {{SIZE}}{{UNIT}}; margin: 0 -{{SIZE}}{{UNIT}};'
+ '{{WRAPPER}} .swiper' => 'padding: {{SIZE}}{{UNIT}}; margin: 0 -{{SIZE}}{{UNIT}};'
]
]
);
@@ -1974,7 +1974,7 @@
],
],
'selectors' => [
- '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . '-wrapper .swiper-container-horizontal > .swiper-scrollbar' => 'height: {{SIZE}}px;',
+ '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . '-wrapper .swiper-horizontal > .swiper-scrollbar' => 'height: {{SIZE}}px;',
],
'condition' => [
'show_scrollbar' => 'yes'
@@ -2547,7 +2547,7 @@
]
],
'selectors' => [
- '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . ' .swiper-container-horizontal > .swiper-scrollbar' => 'top: {{SIZE}}px;',
+ '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . ' .swiper-horizontal > .swiper-scrollbar' => 'top: {{SIZE}}px;',
],
'condition' => [
'show_scrollbar' => 'yes'
--- a/master-addons/lib/freemius/includes/class-freemius.php
+++ b/master-addons/lib/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@
// Start trial button.
$button = ' ' . sprintf(
- '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s ➜</button></a>',
+ '<div><a class="button button-primary" href="%s">%s ➜</a></div>',
$trial_url,
$this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
);
+ $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
$this->_admin_notices->add_sticky(
- $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+ "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
'trial_promotion',
'',
'promotion'
@@ -25476,7 +25478,7 @@
$img_dir = WP_FS__DIR_IMG;
// Locate the main assets folder.
- if ( 1 < count( $fs_active_plugins->plugins ) ) {
+ if ( ! empty( $fs_active_plugins->plugins ) ) {
$plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );
foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/master-addons/lib/freemius/includes/class-fs-plugin-updater.php
+++ b/master-addons/lib/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@
global $wp_current_filter;
- $current_plugin_version = $this->_fs->get_plugin_version();
-
- if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
- if (
- is_null( $this->_update_details ) ||
- ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
- ) {
- /**
- * After an update, clear the stored update details and reparse the plugin's main file in order to get
- * the updated version's information and prevent the previous update information from showing up on the
- * updates page.
- *
- * @author Leo Fajardo (@leorw)
- * @since 2.3.1
- */
- $this->_update_details = null;
- $current_plugin_version = $this->_fs->get_plugin_version( true );
- }
+ if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+ return $transient_data;
}
if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
false,
fs_request_get_bool( 'force-check' ),
FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
- $current_plugin_version
+ $this->_fs->get_plugin_version()
);
$this->_update_details = false;
--- a/master-addons/lib/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/master-addons/lib/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
/**
* Class FS_Plugin_Plan
*
- * @property FS_Pricing[] $pricing
*/
class FS_Plugin_Plan extends FS_Entity {
--- a/master-addons/lib/freemius/includes/entities/class-fs-site.php
+++ b/master-addons/lib/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
exit;
}
- /**
- * @property int $blog_id
- */
- #[AllowDynamicProperties]
class FS_Site extends FS_Scope_Entity {
/**
* @var number
*/
public $site_id;
/**
+ * @var int
+ */
+ public $blog_id;
+ /**
* @var number
*/
public $plugin_id;
--- a/master-addons/lib/freemius/includes/entities/class-fs-user.php
+++ b/master-addons/lib/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
parent::__construct( $user );
}
+ /**
+ * This method removes the deprecated 'is_beta' property from the serialized data.
+ * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+ *
+ * @return void
+ */
+ function __wakeup() {
+ if ( property_exists( $this, 'is_beta' ) ) {
+ // If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+ unset( $this->is_beta );
+ }
+ }
+
function get_name() {
return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
}
--- a/master-addons/lib/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/master-addons/lib/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
$menu = $this->find_main_submenu();
}
+ $menu_slug = $menu['menu'][2];
$parent_slug = isset( $menu['parent_slug'] ) ?
- $menu['parent_slug'] :
- 'admin.php';
+ $menu['parent_slug'] :
+ 'admin.php';
- return admin_url(
- $parent_slug .
- ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
- 'page=' .
- $menu['menu'][2]
- );
+ if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+ $parent_slug = 'admin.php';
+
+ /**
+ * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+ *
+ * @author Leo Fajardo (@leorw)
+ * @since 2.10.2
+ */
+ global $_parent_pages;
+
+ if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+ $_parent_slug = $_parent_pages[ $menu_slug ];
+ $parent_slug = isset( $_parent_pages[ $_parent_slug ] ) ?
+ $parent_slug :
+ $menu['parent_slug'];
+ }
+ }
+
+ return admin_url(
+ $parent_slug .
+ ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+ 'page=' .
+ $menu_slug
+ );
}
/**
--- a/master-addons/lib/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/master-addons/lib/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
* @since 1.0.7
*/
static function _add_sticky_dismiss_javascript() {
+ $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+ if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+ return;
+ }
+
$params = array();
- fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+ fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
}
private static $_added_sticky_javascript = false;
--- a/master-addons/lib/freemius/start.php
+++ b/master-addons/lib/freemius/start.php
@@ -15,7 +15,7 @@
*
* @var string
*/
- $this_sdk_version = '2.10.1';
+ $this_sdk_version = '2.11.0';
#region SDK Selection Logic --------------------------------------------------------------------
--- a/master-addons/master-addons.php
+++ b/master-addons/master-addons.php
@@ -5,7 +5,7 @@
* Description: Master Addons is easy and must have Elementor Addons for WordPress Page Builder. Clean, Modern, Hand crafted designed Addons blocks.
* Plugin URI: https://master-addons.com/all-widgets/
* Author: Jewel Theme
- * Version: 2.0.7.2
+ * Version: 2.0.7.3
* Author URI: https://master-addons.com
* Text Domain: master-addons
* Domain Path: /languagesModSecurity Protection Against This CVE
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
ModSecurity
# Atomic Edge WAF Rule - CVE-2024-13362
# This rule blocks reflected XSS attempts via the 'url' parameter in Freemius trial notices.
# The attack vector uses javascript: pseudo-protocols or other XSS payloads in the 'url' GET parameter.
SecRule REQUEST_URI "@rx ^/wp-admin/admin.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius Reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
SecRule ARGS_GET:url "@rx (?i:javascript:s*|data:s*text/html|vbscript:|onload=|onclick=|<script)"
"t:none,t:urlDecode,t:lowercase"
Frequently Asked Questions
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
