What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting multiple WordPress plugins and themes using the Freemius SDK version 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization.

How does the vulnerability work?

The vulnerability occurs when the ‘url’ parameter is processed without proper sanitization, allowing attackers to craft malicious links. When a user clicks such a link, the injected script executes in their browser context, potentially leading to session hijacking or redirection to malicious sites.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or earlier is at risk, particularly if it has plugins or themes that utilize the five-star-ratings-shortcode. Site administrators should check their installed plugins for the Freemius SDK version.

How can I check if my site is vulnerable?

To check for vulnerability, identify if your site uses the Freemius SDK and the version in use. If it is version 2.10.1 or earlier, your site is vulnerable. Additionally, review your plugins for the specific usage of the ‘url’ parameter in admin or frontend pages.

What is the severity level of this vulnerability?

CVE-2024-13362 has a CVSS score of 6.1, classified as medium severity. This indicates that while the vulnerability requires user interaction to exploit, it poses a significant risk, especially to site administrators who may have elevated privileges.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, or unauthorized actions on behalf of the user. The impact is particularly severe for logged-in administrators.

How can I remediate this vulnerability?

To remediate CVE-2024-13362, update the Freemius SDK to version 2.10.2 or later, which includes fixes for the ‘url’ parameter handling. Additionally, ensure that any custom code sanitizes the ‘url’ parameter using WordPress functions like esc_url_raw() and wp_kses().

What is virtual patching and how can it help?

Virtual patching involves using a Web Application Firewall (WAF) to block malicious requests targeting the vulnerable ‘url’ parameter. This can provide a temporary safeguard until the underlying issue is resolved through code updates.

What does the proof of concept demonstrate?

The proof of concept shows how an attacker can exploit the vulnerability by crafting a malicious URL that leverages the ‘url’ parameter. It illustrates the need for user interaction, as the attack requires a victim to click the crafted link for the script to execute.

What are the recommended practices for WordPress security?

To enhance WordPress security, regularly update all plugins and themes, use security plugins to monitor vulnerabilities, implement strong user access controls, and conduct periodic security audits. Awareness of vulnerabilities like CVE-2024-13362 is crucial for maintaining site integrity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 7, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (five-star-ratings-shortcode)

CVE ID CVE-2024-13362

Plugin five-star-ratings-shortcode

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.2.56

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a reflected DOM-based cross-site scripting (XSS) vulnerability found in multiple WordPress plugins and themes that use the Freemius SDK library, specifically version 2.10.1 and earlier. The flaw exists in the handling of the ‘url’ parameter, allowing unauthenticated attackers to inject arbitrary web scripts. The CVSS score is 6.1 (Medium), with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network-based exploitation with low complexity and no privileges required, but requiring user interaction.

The root cause, inferred from the CWE (79) and the vulnerability description, is insufficient input sanitization and output escaping of the ‘url’ parameter within the Freemius SDK. The SDK likely takes a ‘url’ parameter and uses it to construct a redirect or load external content (common in Freemius for authentication or license activation flows). Without proper escaping, this parameter is inserted into the DOM via JavaScript. Since it is DOM-based, the attack payload executes in the browser context without being reflected in the HTML source code, making it detectable only via DOM analysis. This conclusion is inferred from the vulnerability type and common Freemius SDK patterns; no code diff was available for confirmation.

Exploitation requires tricking a user into clicking a crafted link. The attack vector is typically through the Freemius SDK’s JavaScript handler that processes the ‘url’ parameter, often found in the plugin’s admin pages or frontend authentication flows. An attacker would craft a malicious URL such as: https://target-site.com/wp-admin/admin.php?page=plugin-settings&url=javascript:alert(document.cookie). When a logged-in administrator clicks this link, the JavaScript executes in their browser. The lack of nonce verification or capability checks in the SDK’s handling of this parameter makes it accessible to unauthenticated attackers.

Remediation requires sanitizing the ‘url’ parameter using WordPress functions like esc_url_raw() for URL validation and wp_kses() for HTML context escaping. The fix should be applied in the Freemius SDK version 2.10.2, which processes the ‘url’ parameter. Plugin developers should update to the latest Freemius SDK version. For virtual patching, the WAF rule should target the specific URL patterns where the Freemius SDK processes the ‘url’ parameter, blocking requests with ‘javascript:’ or ‘data:’ URI schemes.

If exploited, this vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser session. This can lead to session hijacking, cookie theft, ake of admin actions, or redirection to malicious sites. Since the attack is reflected and requires user interaction, the impact is limited to actions the victim can perform, but an administrator victim could expose full site control. The scope is changed (S:C) because the attack can affect resources beyond the vulnerable application.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected DOM-based XSS via 'url' parameter in Freemius SDK pages
# Targets the known vulnerable parameter pattern: url=javascript:

SecRule REQUEST_URI "@contains /wp-admin/admin.php" 
  "id:202613362,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius DOM XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_GET:url "@rx ^(javascript|data|vbscript):" 
    "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Assumptions:
// 1. The vulnerable parameter is 'url' used in Freemius SDK pages.
// 2. The Freemius SDK is used by a WordPress plugin like 'five-star-ratings-shortcode'.
// 3. The vulnerable page is typically under /wp-admin/admin.php with a Freemius-related page parameter.
// 4. No authentication is required to trigger the XSS (user interaction only).

die('This PoC requires user interaction (click). See comments for manual testing URL.');

/*
Manual Testing URL:
https://target.example.com/wp-admin/admin.php?page=freemius&url=javascript:alert(document.domain)

Replace 'target.example.com' with the actual vulnerable WordPress site.
The 'page' parameter value may vary; common values include:
  - freemius
  - plugin-slug-freemius (e.g., five-star-ratings-shortcode-freemius)
  - any page that loads the Freemius SDK JavaScript

To test, visit this URL while logged out and click a button that triggers the SDK's process.
If the alert() executes, the site is vulnerable.

For automated PoC, a headless browser or curl with JavaScript execution would be needed.
*/
?>

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting multiple WordPress plugins and themes using the Freemius SDK version 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the ‘url’ parameter is processed without proper sanitization, allowing attackers to craft malicious links. When a user clicks such a link, the injected script executes in their browser context, potentially leading to session hijacking or redirection to malicious sites.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius SDK version 2.10.1 or earlier is at risk, particularly if it has plugins or themes that utilize the five-star-ratings-shortcode. Site administrators should check their installed plugins for the Freemius SDK version.
How can I check if my site is vulnerable?
Steps for assessment
To check for vulnerability, identify if your site uses the Freemius SDK and the version in use. If it is version 2.10.1 or earlier, your site is vulnerable. Additionally, review your plugins for the specific usage of the ‘url’ parameter in admin or frontend pages.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2024-13362 has a CVSS score of 6.1, classified as medium severity. This indicates that while the vulnerability requires user interaction to exploit, it poses a significant risk, especially to site administrators who may have elevated privileges.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, or unauthorized actions on behalf of the user. The impact is particularly severe for logged-in administrators.
How can I remediate this vulnerability?
Fixing the issue
To remediate CVE-2024-13362, update the Freemius SDK to version 2.10.2 or later, which includes fixes for the ‘url’ parameter handling. Additionally, ensure that any custom code sanitizes the ‘url’ parameter using WordPress functions like esc_url_raw() and wp_kses().
What is virtual patching and how can it help?
Temporary mitigation strategies
Virtual patching involves using a Web Application Firewall (WAF) to block malicious requests targeting the vulnerable ‘url’ parameter. This can provide a temporary safeguard until the underlying issue is resolved through code updates.
What does the proof of concept demonstrate?
Understanding the testing method
The proof of concept shows how an attacker can exploit the vulnerability by crafting a malicious URL that leverages the ‘url’ parameter. It illustrates the need for user interaction, as the attack requires a victim to click the crafted link for the script to execute.
What are the recommended practices for WordPress security?
General security measures
To enhance WordPress security, regularly update all plugins and themes, use security plugins to monitor vulnerabilities, implement strong user access controls, and conduct periodic security audits. Awareness of vulnerabilities like CVE-2024-13362 is crucial for maintaining site integrity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations