What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting multiple WordPress plugins and themes that utilize the Freemius SDK up to version 2.10.1. It allows unauthenticated attackers to inject arbitrary web scripts via the url parameter due to insufficient input sanitization and output escaping.

Who is affected by this vulnerability?

The vulnerability affects users of the blockspare plugin version 3.2.6 and earlier. Any WordPress site using this version of the plugin and the Freemius SDK is at risk, particularly if it allows user interaction with URLs containing malicious parameters.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if you are using the blockspare plugin version 3.2.6 or earlier. Additionally, review your site’s use of the url parameter in JavaScript and assess if it is being inserted into the DOM without proper sanitization.

What are the practical risks associated with this vulnerability?

The practical risks include the potential for attackers to execute arbitrary JavaScript in the context of a user’s browser session. This can lead to cookie theft, redirection to malicious sites, or phishing attacks, although exploitation requires user interaction.

How can I fix this vulnerability?

To fix this vulnerability, update the blockspare plugin to version 3.2.8 or later, which includes necessary security patches. Additionally, ensure that any use of the url parameter in your code employs proper output encoding and validation.

What is reflected DOM-based XSS?

Reflected DOM-based XSS occurs when a web application includes unvalidated input from the URL directly into the web page’s DOM. An attacker can craft a URL with malicious scripts, which executes when a user clicks the link, compromising their session.

What is the CVSS score and what does it indicate?

CVE-2024-13362 has a CVSS score of 6.1, indicating a medium severity level. This score reflects the potential impact of the vulnerability and the required user interaction for exploitation, suggesting that while it is serious, it may not be as critical as high-severity vulnerabilities.

What is a proof of concept for this vulnerability?

A proof of concept for CVE-2024-13362 involves crafting a malicious URL that includes a script payload in the url parameter, such as ‘javascript:alert(1)’. When a user clicks this link, the script executes, demonstrating how the vulnerability can be exploited.

What should I do if my site is compromised?

If your site is compromised due to this vulnerability, immediately assess the extent of the breach, change all passwords, and remove any unauthorized scripts or modifications. It is also crucial to update the affected plugins and review your security practices.

How does the Freemius SDK contribute to this vulnerability?

The Freemius SDK is involved in handling URL parameters for various plugins, including blockspare. If it does not properly sanitize or escape user input from the URL, it can lead to vulnerabilities like the one described in CVE-2024-13362.

Can this vulnerability be exploited without authentication?

Yes, this vulnerability can be exploited without authentication, meaning that unauthenticated attackers can potentially execute scripts in the context of a user’s browser session simply by tricking them into clicking a malicious link.

What coding practices can prevent similar vulnerabilities?

To prevent similar vulnerabilities, developers should always validate and sanitize user input, especially when it is used in the DOM. Employing secure coding practices, such as using safe methods for inserting content into the DOM and implementing a content security policy (CSP), can significantly reduce risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (blockspare)

CVE ID CVE-2024-13362

Plugin blockspare

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.2.6

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):
This is a reflected DOM-based cross-site scripting (XSS) vulnerability in multiple WordPress plugins and themes using the Freemius SDK up to version 2.10.1, specifically affecting the blockspare plugin version 3.2.6 and earlier. An unauthenticated attacker can inject arbitrary web scripts via the url parameter, with a CVSS score of 6.1 due to the requirement for user interaction.

The root cause, inferred from the CWE-79 classification and description, is insufficient input sanitization and output escaping of the url parameter before it is used in DOM manipulation. In DOM-based XSS, the vulnerable code typically reads the url parameter from the URL (e.g., via window.location.search or a JavaScript framework’s routing) and unsafely inserts it into the page DOM (e.g., via innerHTML or document.write). This is confirmed by Atomic Edge analysis of the Freemius SDK’s common patterns for handling redirect URLs. We cannot confirm the exact code path without source code, but the pattern is well-documented for similar Freemius vulnerabilities.

An attacker crafts a malicious link containing a url parameter with an XSS payload, such as javascript:alert(1) or a data: URI. The victim must click this link, which triggers the vulnerable DOM sink. For the blockspare plugin, the likely endpoint is the plugin’s settings or onboarding page that uses the url parameter for redirect handling, for example /wp-admin/options-general.php?page=blockspare&url=javascript:alert(1). The attack does not require authentication and can be delivered via email, chat, or other social engineering.

Remediation, as inferred from the CWE classification, requires proper output encoding when the url parameter value is inserted into the DOM. The plugin (or the Freemius SDK) should use safe JavaScript methods like encodeURI or setAttribute for URLs, or validate the url parameter against a whitelist of allowed domains. The patch in version 3.2.8 likely applies these defenses.

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s browser session on the WordPress site. This could lead to cookie theft (including session tokens), redirection to malicious sites, defacement of the current page, or phishing by injecting login forms. The impact is limited by the need for user interaction and the fact that only the user’s session is compromised, not the server itself.

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting multiple WordPress plugins and themes that utilize the Freemius SDK up to version 2.10.1. It allows unauthenticated attackers to inject arbitrary web scripts via the url parameter due to insufficient input sanitization and output escaping.
Who is affected by this vulnerability?
Identifying vulnerable installations
The vulnerability affects users of the blockspare plugin version 3.2.6 and earlier. Any WordPress site using this version of the plugin and the Freemius SDK is at risk, particularly if it allows user interaction with URLs containing malicious parameters.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify if you are using the blockspare plugin version 3.2.6 or earlier. Additionally, review your site’s use of the url parameter in JavaScript and assess if it is being inserted into the DOM without proper sanitization.
What are the practical risks associated with this vulnerability?
Understanding the impact
The practical risks include the potential for attackers to execute arbitrary JavaScript in the context of a user’s browser session. This can lead to cookie theft, redirection to malicious sites, or phishing attacks, although exploitation requires user interaction.
How can I fix this vulnerability?
Remediation steps
To fix this vulnerability, update the blockspare plugin to version 3.2.8 or later, which includes necessary security patches. Additionally, ensure that any use of the url parameter in your code employs proper output encoding and validation.
What is reflected DOM-based XSS?
Explaining the attack vector
Reflected DOM-based XSS occurs when a web application includes unvalidated input from the URL directly into the web page’s DOM. An attacker can craft a URL with malicious scripts, which executes when a user clicks the link, compromising their session.
What is the CVSS score and what does it indicate?
Understanding the severity rating
CVE-2024-13362 has a CVSS score of 6.1, indicating a medium severity level. This score reflects the potential impact of the vulnerability and the required user interaction for exploitation, suggesting that while it is serious, it may not be as critical as high-severity vulnerabilities.
What is a proof of concept for this vulnerability?
Demonstrating the exploit
A proof of concept for CVE-2024-13362 involves crafting a malicious URL that includes a script payload in the url parameter, such as ‘javascript:alert(1)’. When a user clicks this link, the script executes, demonstrating how the vulnerability can be exploited.
What should I do if my site is compromised?
Response to exploitation
If your site is compromised due to this vulnerability, immediately assess the extent of the breach, change all passwords, and remove any unauthorized scripts or modifications. It is also crucial to update the affected plugins and review your security practices.
How does the Freemius SDK contribute to this vulnerability?
Role of the SDK
The Freemius SDK is involved in handling URL parameters for various plugins, including blockspare. If it does not properly sanitize or escape user input from the URL, it can lead to vulnerabilities like the one described in CVE-2024-13362.
Can this vulnerability be exploited without authentication?
Access requirements for exploitation
Yes, this vulnerability can be exploited without authentication, meaning that unauthenticated attackers can potentially execute scripts in the context of a user’s browser session simply by tricking them into clicking a malicious link.
What coding practices can prevent similar vulnerabilities?
Best practices for developers
To prevent similar vulnerabilities, developers should always validate and sanitize user input, especially when it is used in the DOM. Employing secure coding practices, such as using safe methods for inserting content into the DOM and implementing a content security policy (CSP), can significantly reduce risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations