What is CVE-2024-13362?

CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability found in the Freemius framework, affecting versions 2.10.1 and below. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter due to insufficient input sanitization.

Who is affected by this vulnerability?

WordPress administrators using the Freemius framework version 2.10.1 or earlier, particularly those utilizing the Dynamic Copyright Year plugin version 1.0.4 or below, are at risk. Any site that processes the ‘url’ parameter without proper sanitization is potentially vulnerable.

How can I check if my site is affected?

To check if your site is affected, review the versions of the Freemius framework and the Dynamic Copyright Year plugin you have installed. If you are using Freemius version 2.10.1 or earlier and the Dynamic Copyright Year plugin version 1.0.4 or earlier, your site is vulnerable.

What does the CVSS score of 6.1 mean?

The CVSS score of 6.1 indicates a medium severity vulnerability. This reflects that while exploitation requires user interaction, it can lead to significant consequences such as session hijacking or data theft within the WordPress context.

How does the exploitation of this vulnerability work?

An attacker can craft a malicious URL containing a JavaScript payload in the ‘url’ parameter. When a victim clicks on this link, the Freemius script processes the parameter, injecting the payload into the DOM and executing it, potentially compromising the user’s session.

What steps should I take to remediate this vulnerability?

To remediate CVE-2024-13362, update the Freemius framework to version 2.10.2 or later and the Dynamic Copyright Year plugin to version 1.1 or later. These updates include proper validation and sanitization of the ‘url’ parameter.

What mitigation strategies can I implement?

In addition to updating, ensure that all user inputs are properly sanitized and escaped before being output to the browser. Implement security best practices such as using security plugins and regularly reviewing your site for vulnerabilities.

What is the proof of concept for this vulnerability?

The proof of concept involves crafting a URL like ‘?url=javascript:alert(document.cookie)’. When a user clicks this link, it triggers the XSS vulnerability, demonstrating how an attacker can execute arbitrary JavaScript in the victim’s browser.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to session hijacking, redirection to malicious sites, and exposure of sensitive information.

How can I stay informed about vulnerabilities like this?

To stay informed, subscribe to security mailing lists, follow security blogs, and regularly check the National Vulnerability Database (NVD) or similar resources for updates on vulnerabilities affecting WordPress and its plugins.

What should I do if I cannot update immediately?

If immediate updates are not possible, consider disabling the affected plugins or features that utilize the Freemius framework until you can apply the necessary updates. Additionally, educate users about the risks of clicking on untrusted links.

Can this vulnerability affect other plugins or themes?

Yes, since the Freemius framework is embedded in multiple WordPress plugins and themes, any of those that do not properly handle the ‘url’ parameter could also be vulnerable to similar exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 17, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (dynamic-copyright-year)

CVE ID CVE-2024-13362

Plugin dynamic-copyright-year

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.0.4

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):
This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) found in the Freemius framework (version <= 2.10.1), affecting multiple WordPress plugins and themes that embed it, including the "Dynamic Copyright Year" plugin (versions <= 1.0.4). The attack vector involves the 'url' parameter, which is insufficiently sanitized and escaped, allowing unauthenticated attackers to inject arbitrary JavaScript that executes when a victim clicks a crafted link.

Root Cause: Based on the CWE-79 classification and description, the root cause stems from improper neutralization of the 'url' parameter during web page generation. Atomic Edge research infers that the vulnerable code likely retrieves the 'url' parameter from user input (e.g., via $_GET or $_POST) and directly embeds it into a DOM element (e.g., for redirect or tracking purposes) without applying proper sanitization (like esc_url_raw) or output escaping (like esc_js or json_encode). Without a code diff, this conclusion is inferred from the vulnerability type and WordPress plugin conventions.

Exploitation: An unauthenticated attacker can craft a malicious URL that includes a 'url' parameter containing a JavaScript payload, such as: ?url=javascript:alert(document.cookie). When a victim visits this crafted URL and the Freemius script processes the parameter, it injects the payload into the DOM, triggering XSS. The attack requires user interaction (clicking a link), but no authentication is needed. The likely endpoint is any page where Freemius is loaded and uses the 'url' parameter, possibly via an AJAX handler or inline script.

Remediation: The patched version (1.1) likely validates the 'url' parameter against an allowed list of URL schemes (e.g., http, https) using functions like wp_http_validate_url or esc_url_raw. The output should be escaped with esc_js or encoded via json_encode before insertion into JavaScript. Plugin administrators should update all plugins and themes using Freemius to version 2.10.2 or later.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the WordPress context. This can lead to theft of session cookies, redirection to malicious sites, defacement, or extraction of sensitive data displayed on the page. The CVSS score of 6.1 (Medium) reflects the need for user interaction and the limited impact on confidentiality and integrity.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected DOM-XSS via the 'url' parameter by detecting javascript: scheme and common XSS payloads
SecRule REQUEST_URI "@contains ?" "id:20262001,phase:1,deny,status:403,chain,msg:'CVE-2024-13362 - Reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
SecRule ARGS:url "@rx (?:javascript|data|vbscript|onw+)[sS]*" "t:lowercase,t:urlDecodeUni,chain"
SecRule ARGS:url "@rx [<>]" "t:lowercase"

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability found in the Freemius framework, affecting versions 2.10.1 and below. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter due to insufficient input sanitization.
Who is affected by this vulnerability?
Identifying impacted users
WordPress administrators using the Freemius framework version 2.10.1 or earlier, particularly those utilizing the Dynamic Copyright Year plugin version 1.0.4 or below, are at risk. Any site that processes the ‘url’ parameter without proper sanitization is potentially vulnerable.
How can I check if my site is affected?
Verifying your WordPress setup
To check if your site is affected, review the versions of the Freemius framework and the Dynamic Copyright Year plugin you have installed. If you are using Freemius version 2.10.1 or earlier and the Dynamic Copyright Year plugin version 1.0.4 or earlier, your site is vulnerable.
What does the CVSS score of 6.1 mean?
Understanding severity levels
The CVSS score of 6.1 indicates a medium severity vulnerability. This reflects that while exploitation requires user interaction, it can lead to significant consequences such as session hijacking or data theft within the WordPress context.
How does the exploitation of this vulnerability work?
Mechanics of the attack
An attacker can craft a malicious URL containing a JavaScript payload in the ‘url’ parameter. When a victim clicks on this link, the Freemius script processes the parameter, injecting the payload into the DOM and executing it, potentially compromising the user’s session.
What steps should I take to remediate this vulnerability?
Updating your software
To remediate CVE-2024-13362, update the Freemius framework to version 2.10.2 or later and the Dynamic Copyright Year plugin to version 1.1 or later. These updates include proper validation and sanitization of the ‘url’ parameter.
What mitigation strategies can I implement?
Preventative measures
In addition to updating, ensure that all user inputs are properly sanitized and escaped before being output to the browser. Implement security best practices such as using security plugins and regularly reviewing your site for vulnerabilities.
What is the proof of concept for this vulnerability?
Demonstrating the issue
The proof of concept involves crafting a URL like ‘?url=javascript:alert(document.cookie)’. When a user clicks this link, it triggers the XSS vulnerability, demonstrating how an attacker can execute arbitrary JavaScript in the victim’s browser.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to session hijacking, redirection to malicious sites, and exposure of sensitive information.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
To stay informed, subscribe to security mailing lists, follow security blogs, and regularly check the National Vulnerability Database (NVD) or similar resources for updates on vulnerabilities affecting WordPress and its plugins.
What should I do if I cannot update immediately?
Temporary measures
If immediate updates are not possible, consider disabling the affected plugins or features that utilize the Freemius framework until you can apply the necessary updates. Additionally, educate users about the risks of clicking on untrusted links.
Can this vulnerability affect other plugins or themes?
Broader implications
Yes, since the Freemius framework is embedded in multiple WordPress plugins and themes, any of those that do not properly handle the ‘url’ parameter could also be vulnerable to similar exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations