What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability in the Freemius SDK, affecting WordPress plugins that utilize Freemius versions up to 2.10.1. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter due to insufficient input sanitization.

How does this vulnerability work?

The vulnerability arises when the ‘url’ parameter is processed without proper sanitization or output escaping. Attackers can craft a malicious link that, when clicked by a user, executes JavaScript code in the context of the WordPress site, potentially leading to session hijacking or other malicious actions.

Who is affected by this vulnerability?

Any WordPress installation using the Freemius SDK version 2.10.1 or earlier is at risk. This includes multiple plugins and themes that incorporate this SDK, making a wide range of sites potentially vulnerable to exploitation.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Freemius SDK used by your plugins. You can do this by reviewing the plugin files or checking the plugin details in the WordPress admin dashboard. If the version is 2.10.1 or earlier, your site may be at risk.

What is the risk level of this vulnerability?

The CVSS score for CVE-2024-13362 is 6.1, indicating a medium severity level. This suggests that while the vulnerability does not impact system availability, it poses a significant risk to confidentiality and integrity, allowing attackers to execute scripts in users’ browsers.

How can I fix this vulnerability?

To remediate this vulnerability, update the Freemius SDK to a version that includes proper input sanitization and output escaping. Additionally, developers should implement safe coding practices, such as using encodeURIComponent for the ‘url’ parameter before inserting it into the DOM.

What are the best practices for mitigating XSS vulnerabilities?

Best practices include validating and sanitizing all user inputs, using output encoding when rendering data in the browser, and avoiding direct DOM manipulation with user-controlled data. Employing a Content Security Policy (CSP) can also help mitigate the impact of XSS attacks.

What does a proof of concept (PoC) demonstrate?

A proof of concept for this vulnerability typically shows how an attacker can craft a link with a malicious ‘url’ parameter that triggers JavaScript execution when a user clicks it. This illustrates the ease with which an attacker can exploit the vulnerability through social engineering.

What actions can an attacker perform if they exploit this vulnerability?

If successfully exploited, an attacker can execute arbitrary JavaScript in the victim’s browser. This could lead to session hijacking, manipulation of the WordPress admin panel, or redirection to malicious sites, posing significant risks to site security and user data.

How does social engineering play a role in this vulnerability?

Social engineering is crucial for exploiting this vulnerability because the attacker must trick a user into clicking a malicious link. Since the vulnerability does not require authentication, any user who clicks the link can be affected, making social engineering tactics particularly effective.

What should I do if I cannot update the Freemius SDK immediately?

If immediate updates are not possible, consider disabling the affected plugins or restricting access to user accounts until a patch is applied. Additionally, review your site’s security settings and educate users about the risks of clicking unknown links.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 17, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wc-hkdigital-acba-gateway)

CVE ID CVE-2024-13362

Plugin wc-hkdigital-acba-gateway

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.2.6

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a Reflected DOM-Based Cross-Site Scripting vulnerability in the Freemius SDK library, affecting WordPress plugins/themes that use Freemius versions up to 2.10.1. The vulnerability allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter. The CVSS score of 6.1 (Medium) reflects a low impact on confidentiality and integrity with no impact on availability.

Root Cause: The CWE-79 classification combined with the description indicates that the Freemius SDK fails to properly sanitize input and escape output when handling the ‘url’ parameter. Atomic Edge analysis infers that the vulnerable code likely resides in a JavaScript file or an AJAX handler that reads the ‘url’ parameter from the query string and writes it directly into the DOM without encoding. This is a classic DOM-based XSS pattern where the sink is an unsafe DOM manipulation method like innerHTML or document.write, and the source is window.location or a GET parameter. The lack of output escaping allows an attacker to break out of the HTML context and inject script tags or event handlers.

Exploitation: An attacker crafts a malicious link containing a JavaScript payload in the ‘url’ parameter, for example: /wp-content/plugins/wc-hkdigital-acba-gateway/?url=javascript:alert(document.cookie). The attacker then tricks a logged-in user into clicking this link. The user’s browser executes the script in the context of the WordPress site’s origin, enabling the attacker to steal session cookies, perform actions on behalf of the user, or deface the page. Since no authentication is required to trigger the XSS, any user who clicks the link is vulnerable.

Remediation: The fix requires proper output escaping when the ‘url’ parameter value is inserted into the DOM. Developers should use encodeURIComponent or a dedicated sanitization function before using the parameter in JavaScript contexts. Alternatively, the Freemius SDK should validate the ‘url’ parameter against a whitelist of allowed protocols (e.g., http, https) and reject dangerous schemes like javascript: or data:. Atomic Edge research recommends avoiding DOM manipulation with user-controlled data unless it is safely encoded.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, defacement of the WordPress admin panel, or redirection to malicious sites. As a reflected vulnerability, the attacker must rely on social engineering to deliver the payload, but the lack of authentication requirements makes many WordPress installations accessible to untargeted attacks.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected DOM XSS via the url parameter in Freemius SDK
SecRule REQUEST_URI "@contains /wc-hkdigital-acba-gateway/" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Reflected XSS via url parameter in Freemius SDK',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_GET:url "@rx ^javascript:" 
    "t:none"

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability in the Freemius SDK, affecting WordPress plugins that utilize Freemius versions up to 2.10.1. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter due to insufficient input sanitization.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises when the ‘url’ parameter is processed without proper sanitization or output escaping. Attackers can craft a malicious link that, when clicked by a user, executes JavaScript code in the context of the WordPress site, potentially leading to session hijacking or other malicious actions.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress installation using the Freemius SDK version 2.10.1 or earlier is at risk. This includes multiple plugins and themes that incorporate this SDK, making a wide range of sites potentially vulnerable to exploitation.
How can I check if my site is vulnerable?
Verifying your WordPress setup
To check if your site is vulnerable, verify the version of the Freemius SDK used by your plugins. You can do this by reviewing the plugin files or checking the plugin details in the WordPress admin dashboard. If the version is 2.10.1 or earlier, your site may be at risk.
What is the risk level of this vulnerability?
Understanding the CVSS score
The CVSS score for CVE-2024-13362 is 6.1, indicating a medium severity level. This suggests that while the vulnerability does not impact system availability, it poses a significant risk to confidentiality and integrity, allowing attackers to execute scripts in users’ browsers.
How can I fix this vulnerability?
Remediation steps
To remediate this vulnerability, update the Freemius SDK to a version that includes proper input sanitization and output escaping. Additionally, developers should implement safe coding practices, such as using encodeURIComponent for the ‘url’ parameter before inserting it into the DOM.
What are the best practices for mitigating XSS vulnerabilities?
Preventive measures
Best practices include validating and sanitizing all user inputs, using output encoding when rendering data in the browser, and avoiding direct DOM manipulation with user-controlled data. Employing a Content Security Policy (CSP) can also help mitigate the impact of XSS attacks.
What does a proof of concept (PoC) demonstrate?
Illustrating the vulnerability
A proof of concept for this vulnerability typically shows how an attacker can craft a link with a malicious ‘url’ parameter that triggers JavaScript execution when a user clicks it. This illustrates the ease with which an attacker can exploit the vulnerability through social engineering.
What actions can an attacker perform if they exploit this vulnerability?
Potential consequences of exploitation
If successfully exploited, an attacker can execute arbitrary JavaScript in the victim’s browser. This could lead to session hijacking, manipulation of the WordPress admin panel, or redirection to malicious sites, posing significant risks to site security and user data.
How does social engineering play a role in this vulnerability?
Exploitation methods
Social engineering is crucial for exploiting this vulnerability because the attacker must trick a user into clicking a malicious link. Since the vulnerability does not require authentication, any user who clicks the link can be affected, making social engineering tactics particularly effective.
What should I do if I cannot update the Freemius SDK immediately?
Interim measures
If immediate updates are not possible, consider disabling the affected plugins or restricting access to user accounts until a patch is applied. Additionally, review your site’s security settings and educate users about the risks of clicking unknown links.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations