Atomic Edge analysis of CVE-2024-13362:
This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) vulnerability in the Freemius SDK library (versions 2.10.1 and prior), which is bundled with the Master Addons WordPress plugin (versions 2.0.7.2 and prior). The flaw lies in the trial promotion notice rendering mechanism, where the `trial_promotion_message` filter is applied to a string that was previously concatenated with a raw HTML button. An unauthenticated attacker can inject arbitrary JavaScript into the admin notice by crafting a malicious `url` parameter, which executes when an administrator clicks a crafted link.
The root cause is in `/master-addons/lib/freemius/includes/class-freemius.php`, specifically within the `_add_trial_notice()` method around line 24000. The original code concatenated a user-supplied URL (`$trial_url`) directly into an HTML anchor tag’s `href` attribute inside a sprintf call. The `$trial_url` value originates from the `url` GET parameter passed to the plugin’s admin page. The `apply_filters()` call on line 24015 was applied to the entire message string (including the raw `$button` HTML), but the URL itself was never sanitized or validated before being injected into the markup. The filter function `trial_promotion_message` allows other plugins to manipulate the message, but the core issue is that the unsanitized URL parameter flows directly into a JavaScript-executable context (a hyperlink).
An attacker can exploit this by crafting a URL to a WordPress admin page loaded by the Master Addons plugin, appending a `url` parameter containing a JavaScript payload. For example, an attacker sends a link like `/wp-admin/admin.php?page=master-addons&url=javascript:alert(document.cookie)`. When an administrator clicks this link, the vulnerable Freemius code renders the trial promotion notice with the attacker-controlled `url` value as an `href` attribute. The `javascript:` pseudo-protocol executes the attacker’s script in the context of the admin dashboard. The attack is reflected (not stored) and requires user interaction (the admin must click the link), but no authentication is required to trigger the notice rendering code.
The patch, as shown in the diff for Freemius version 2.11.0, restructures the trial notice generation. The new code on line 24002 removes the user-controlled URL from the direct `sprintf` HTML construction. Instead, it creates a separate message variable (`$message_text`) that filters only the text message and the credit card string (excluding the button). The button is then wrapped in a `
Differential between vulnerable and patched code
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/master-addons/addons/ma-image-carousel/ma-image-carousel.php
+++ b/master-addons/addons/ma-image-carousel/ma-image-carousel.php
@@ -64,7 +64,7 @@
public function get_script_depends()
{
return [
- 'ma-swiper',
+ 'swiper',
'fancybox',
'master-addons-scripts'
];
@@ -73,7 +73,7 @@
public function get_style_depends()
{
return [
- 'ma-swiper',
+ 'e-swiper',
'fancybox',
'master-addons-main-style'
];
--- a/master-addons/addons/ma-logo-slider/ma-logo-slider.php
+++ b/master-addons/addons/ma-logo-slider/ma-logo-slider.php
@@ -52,7 +52,7 @@
public function get_style_depends()
{
return [
- 'ma-swiper',
+ 'e-swiper',
'jltma-tippy',
'font-awesome-5-all',
'font-awesome-4-shim'
@@ -62,7 +62,7 @@
public function get_script_depends()
{
return [
- 'ma-swiper',
+ 'swiper',
'jltma-popper',
'jltma-tippy',
'master-addons-scripts'
--- a/master-addons/addons/ma-pricing-table/ma-pricing-table.php
+++ b/master-addons/addons/ma-pricing-table/ma-pricing-table.php
@@ -2413,7 +2413,7 @@
}
if (!empty($item['ma_el_pricing_table_tooltip_text'])) {
- $this->add_render_attribute('features', 'data-tippy', '', true);
+ $this->add_render_attribute('features', 'data-tippy', '1', true);
$this->add_render_attribute('features', 'data-tippy-content', $item['ma_el_pricing_table_tooltip_text'], true);
}
--- a/master-addons/addons/ma-team-members-slider/ma-team-members-slider.php
+++ b/master-addons/addons/ma-team-members-slider/ma-team-members-slider.php
@@ -49,12 +49,12 @@
}
public function get_script_depends() {
- return ['ma-swiper', 'gridder', 'master-addons-scripts'];
+ return ['swiper', 'gridder', 'master-addons-scripts'];
}
public function get_style_depends() {
return [
- 'ma-swiper',
+ 'e-swiper',
'gridder',
'font-awesome-5-all',
'font-awesome-4-shim'
@@ -487,10 +487,10 @@
{{WRAPPER}} .jltma-team-member-circle,
{{WRAPPER}} .jltma-team-member-social-left,
{{WRAPPER}} .jltma-team-carousel-wrapper,
- {{WRAPPER}} .swiper-container-fade .swiper-slide,
+ {{WRAPPER}} .swiper-fade .swiper-slide,
{{WRAPPER}} .jltma-team-member-rounded' => 'background: {{VALUE}};',
- '{{WRAPPER}} .gridder .gridder-show' => 'background-color: {{VALUE}};',
- '{{WRAPPER}} #animation_svg_04 circle' => 'fill: {{VALUE}}',
+ '{{WRAPPER}} .gridder .gridder-show' => 'background-color: {{VALUE}};',
+ '{{WRAPPER}} #animation_svg_04 circle' => 'fill: {{VALUE}}',
],
] );
$this->add_control( 'ma_el_team_carousel_content_align', [
--- a/master-addons/addons/ma-tooltip/ma-tooltip.php
+++ b/master-addons/addons/ma-tooltip/ma-tooltip.php
@@ -409,18 +409,18 @@
]
);
- $this->add_control(
- 'jltma_tooltip_arrow',
- [
- 'label' => esc_html__('Arrow', 'master-addons'),
- 'type' => Controls_Manager::SWITCHER,
- 'render_type' => 'none',
- 'frontend_available' => true,
- 'condition' => [
- 'jltma_tooltip_animation!' => 'fill'
- ],
- ]
- );
+ // $this->add_control(
+ // 'jltma_tooltip_arrow',
+ // [
+ // 'label' => esc_html__('Arrow', 'master-addons'),
+ // 'type' => Controls_Manager::SWITCHER,
+ // 'render_type' => 'none',
+ // 'frontend_available' => true,
+ // 'condition' => [
+ // 'jltma_tooltip_animation!' => 'fill'
+ // ],
+ // ]
+ // );
$this->add_control(
'jltma_tooltip_arrow_type',
--- a/master-addons/inc/classes/assets-manager.php
+++ b/master-addons/inc/classes/assets-manager.php
@@ -62,13 +62,7 @@
public function jltma_register_frontend_scripts() {
$suffix = ( defined( 'SCRIPT_DEBUG' ) && SCRIPT_DEBUG ? '' : '.min' );
$jltma_vendor_dir = JLTMA_URL . '/assets/vendor/';
- wp_register_script(
- 'ma-swiper',
- $jltma_vendor_dir . 'swiper/js/swiper-bundle.min.js',
- ['jquery'],
- JLTMA_VER,
- true
- );
+ // wp_register_script('ma-swiper', $jltma_vendor_dir . 'swiper/js/swiper-bundle.min.js', ['jquery'], JLTMA_VER, true);
wp_register_script(
'ma-animated-headlines',
JLTMA_URL . '/assets/js/animated-main.js',
@@ -168,7 +162,7 @@
true
);
// Swiper
- wp_register_style( 'ma-swiper', $jltma_vendor_dir . 'swiper/css/swiper.min.css' );
+ // wp_register_style('ma-swiper', $jltma_vendor_dir . 'swiper/css/swiper.min.css');
// Tippy JS
wp_register_style( 'jltma-tippy', $jltma_vendor_dir . 'tippyjs/css/tippy.css' );
wp_register_script(
--- a/master-addons/inc/modules/glassmorphism/glassmorphism.php
+++ b/master-addons/inc/modules/glassmorphism/glassmorphism.php
@@ -78,8 +78,8 @@
'default' => 20,
'selectors' => [
'{{WRAPPER}}.jltma-glass-effect-yes.elementor-section' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
- '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-column-wrap' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
- '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-widget-container' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
+ '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-widget-wrap' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
+ '{{WRAPPER}}.jltma-glass-effect-yes > .elementor-widget' => 'backdrop-filter: blur({{SIZE}}px); -webkit-backdrop-filter: blur({{SIZE}}px);',
],
'condition' => [
'jltma_enable_glassmorphism_effect' => 'yes'
--- a/master-addons/inc/modules/particles/particles.php
+++ b/master-addons/inc/modules/particles/particles.php
@@ -33,7 +33,7 @@
public function register_controls($element, $section_id, $args)
{
- if (('section' === $element->get_name() && 'section_background' === $section_id) || ('column' === $element->get_name() && 'section_style' === $section_id)) {
+ if (('section' === $element->get_name() && 'section_background' === $section_id) || ('column' === $element->get_name() && 'section_style' === $section_id) || ('container' === $element->get_name() && 'section_background' === $section_id)) {
$element->start_controls_section(
'ma_el_particles',
@@ -214,7 +214,7 @@
public function _before_render($element)
{
- if ($element->get_name() != 'section' && $element->get_name() != 'column') {
+ if ($element->get_name() != 'section' && $element->get_name() != 'column' && $element->get_name() != 'container') {
return;
}
@@ -225,15 +225,16 @@
}
}
+
function _print_template($template, $widget)
{
- if ($widget->get_name() != 'section' && $widget->get_name() != 'column') {
+ if ($widget->get_name() != 'section' && $widget->get_name() != 'column' && $widget->get_name() != 'container') {
return $template;
}
$old_template = $template;
ob_start();
-?>
+ ?>
<div class="jltma-particle-wrapper" id="jltma-particle-{{ view.getID() }}" data-ma-el-pdata=" {{ settings
.ma_el_particle_json }}"></div>
@@ -252,7 +253,6 @@
$settings = $element->get_settings_for_display();
$type = $data['elType'];
$zindex = !empty($settings['ma_el_particle_area_zindex']) ? $settings['ma_el_particle_area_zindex'] : 0;
-
if (('section' === $type) && ($element->get_settings('ma_el_enable_particles') === 'yes')) {
?>
<style>
--- a/master-addons/inc/traits/swiper-controls.php
+++ b/master-addons/inc/traits/swiper-controls.php
@@ -1146,7 +1146,7 @@
'size' => 10
],
'selectors' => [
- '{{WRAPPER}} .swiper-container' => 'padding: {{SIZE}}{{UNIT}}; margin: 0 -{{SIZE}}{{UNIT}};'
+ '{{WRAPPER}} .swiper' => 'padding: {{SIZE}}{{UNIT}}; margin: 0 -{{SIZE}}{{UNIT}};'
]
]
);
@@ -1974,7 +1974,7 @@
],
],
'selectors' => [
- '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . '-wrapper .swiper-container-horizontal > .swiper-scrollbar' => 'height: {{SIZE}}px;',
+ '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . '-wrapper .swiper-horizontal > .swiper-scrollbar' => 'height: {{SIZE}}px;',
],
'condition' => [
'show_scrollbar' => 'yes'
@@ -2547,7 +2547,7 @@
]
],
'selectors' => [
- '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . ' .swiper-container-horizontal > .swiper-scrollbar' => 'top: {{SIZE}}px;',
+ '{{WRAPPER}} .swiper-scrollbar, {{WRAPPER}} .jltma-' . $name . ' .swiper-horizontal > .swiper-scrollbar' => 'top: {{SIZE}}px;',
],
'condition' => [
'show_scrollbar' => 'yes'
--- a/master-addons/lib/freemius/includes/class-freemius.php
+++ b/master-addons/lib/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@
// Start trial button.
$button = ' ' . sprintf(
- '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s ➜</button></a>',
+ '<div><a class="button button-primary" href="%s">%s ➜</a></div>',
$trial_url,
$this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
);
+ $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
$this->_admin_notices->add_sticky(
- $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+ "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
'trial_promotion',
'',
'promotion'
@@ -25476,7 +25478,7 @@
$img_dir = WP_FS__DIR_IMG;
// Locate the main assets folder.
- if ( 1 < count( $fs_active_plugins->plugins ) ) {
+ if ( ! empty( $fs_active_plugins->plugins ) ) {
$plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );
foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/master-addons/lib/freemius/includes/class-fs-plugin-updater.php
+++ b/master-addons/lib/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@
global $wp_current_filter;
- $current_plugin_version = $this->_fs->get_plugin_version();
-
- if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
- if (
- is_null( $this->_update_details ) ||
- ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
- ) {
- /**
- * After an update, clear the stored update details and reparse the plugin's main file in order to get
- * the updated version's information and prevent the previous update information from showing up on the
- * updates page.
- *
- * @author Leo Fajardo (@leorw)
- * @since 2.3.1
- */
- $this->_update_details = null;
- $current_plugin_version = $this->_fs->get_plugin_version( true );
- }
+ if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+ return $transient_data;
}
if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
false,
fs_request_get_bool( 'force-check' ),
FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
- $current_plugin_version
+ $this->_fs->get_plugin_version()
);
$this->_update_details = false;
--- a/master-addons/lib/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/master-addons/lib/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
/**
* Class FS_Plugin_Plan
*
- * @property FS_Pricing[] $pricing
*/
class FS_Plugin_Plan extends FS_Entity {
--- a/master-addons/lib/freemius/includes/entities/class-fs-site.php
+++ b/master-addons/lib/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
exit;
}
- /**
- * @property int $blog_id
- */
- #[AllowDynamicProperties]
class FS_Site extends FS_Scope_Entity {
/**
* @var number
*/
public $site_id;
/**
+ * @var int
+ */
+ public $blog_id;
+ /**
* @var number
*/
public $plugin_id;
--- a/master-addons/lib/freemius/includes/entities/class-fs-user.php
+++ b/master-addons/lib/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
parent::__construct( $user );
}
+ /**
+ * This method removes the deprecated 'is_beta' property from the serialized data.
+ * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+ *
+ * @return void
+ */
+ function __wakeup() {
+ if ( property_exists( $this, 'is_beta' ) ) {
+ // If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+ unset( $this->is_beta );
+ }
+ }
+
function get_name() {
return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
}
--- a/master-addons/lib/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/master-addons/lib/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
$menu = $this->find_main_submenu();
}
+ $menu_slug = $menu['menu'][2];
$parent_slug = isset( $menu['parent_slug'] ) ?
- $menu['parent_slug'] :
- 'admin.php';
+ $menu['parent_slug'] :
+ 'admin.php';
- return admin_url(
- $parent_slug .
- ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
- 'page=' .
- $menu['menu'][2]
- );
+ if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+ $parent_slug = 'admin.php';
+
+ /**
+ * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+ *
+ * @author Leo Fajardo (@leorw)
+ * @since 2.10.2
+ */
+ global $_parent_pages;
+
+ if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+ $_parent_slug = $_parent_pages[ $menu_slug ];
+ $parent_slug = isset( $_parent_pages[ $_parent_slug ] ) ?
+ $parent_slug :
+ $menu['parent_slug'];
+ }
+ }
+
+ return admin_url(
+ $parent_slug .
+ ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+ 'page=' .
+ $menu_slug
+ );
}
/**
--- a/master-addons/lib/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/master-addons/lib/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
* @since 1.0.7
*/
static function _add_sticky_dismiss_javascript() {
+ $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+ if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+ return;
+ }
+
$params = array();
- fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+ fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
}
private static $_added_sticky_javascript = false;
--- a/master-addons/lib/freemius/start.php
+++ b/master-addons/lib/freemius/start.php
@@ -15,7 +15,7 @@
*
* @var string
*/
- $this_sdk_version = '2.10.1';
+ $this_sdk_version = '2.11.0';
#region SDK Selection Logic --------------------------------------------------------------------
--- a/master-addons/master-addons.php
+++ b/master-addons/master-addons.php
@@ -5,7 +5,7 @@
* Description: Master Addons is easy and must have Elementor Addons for WordPress Page Builder. Clean, Modern, Hand crafted designed Addons blocks.
* Plugin URI: https://master-addons.com/all-widgets/
* Author: Jewel Theme
- * Version: 2.0.7.2
+ * Version: 2.0.7.3
* Author URI: https://master-addons.com
* Text Domain: master-addons
* Domain Path: /languagesModSecurity Protection Against This CVE
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2024-13362
# This rule blocks reflected XSS attempts via the 'url' parameter in Freemius trial notices.
# The attack vector uses javascript: pseudo-protocols or other XSS payloads in the 'url' GET parameter.
SecRule REQUEST_URI "@rx ^/wp-admin/admin.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius Reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
SecRule ARGS_GET:url "@rx (?i:javascript:s*|data:s*text/html|vbscript:|onload=|onclick=|<script)"
"t:none,t:urlDecode,t:lowercase"
Frequently Asked Questions
What is CVE-2024-13362?
Understanding the vulnerabilityCVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK used by the Master Addons plugin for WordPress. It allows unauthenticated attackers to inject arbitrary JavaScript into admin pages by manipulating the ‘url’ parameter.
How does the vulnerability work?
Mechanism of exploitationThe vulnerability occurs when a user-supplied URL is directly included in an HTML anchor tag without proper sanitization. An attacker can craft a link containing malicious JavaScript, which executes when an administrator clicks the link, potentially compromising the admin session.
Who is affected by this vulnerability?
Identifying vulnerable installationsWordPress installations using the Master Addons plugin version 2.0.7.2 or earlier are affected. Administrators should check their plugin version and update if necessary.
How can I check if I am using a vulnerable version?
Verifying plugin versionsYou can check the version of the Master Addons plugin in the WordPress admin dashboard under ‘Plugins’. Look for the version number next to the Master Addons entry.
How can I fix this vulnerability?
Updating the affected pluginTo mitigate this vulnerability, update the Master Addons plugin to version 2.0.7.3 or later, which contains the necessary patches to address the XSS issue.
What does the CVSS score of 6.1 mean?
Understanding severity levelsA CVSS score of 6.1 indicates a medium severity level. This means that while the vulnerability requires user interaction to exploit, it can still have significant consequences if successfully executed against an administrator.
What practical risks does this vulnerability pose?
Potential impacts on securityIf exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of an administrator’s browser. This can lead to session hijacking, unauthorized admin actions, or even full site compromise.
What is a proof of concept for this vulnerability?
Demonstrating the exploitA proof of concept involves crafting a URL such as ‘/wp-admin/admin.php?page=master-addons&url=javascript:alert(document.cookie)’. When an administrator clicks this link, the malicious script executes, demonstrating the XSS vulnerability.
What should I do if I cannot update the plugin immediately?
Mitigation strategiesIf immediate updates are not possible, consider restricting access to the WordPress admin area to trusted users only. Additionally, monitor for any suspicious activities and educate users about not clicking on untrusted links.
Are there any other security measures I should take?
Enhancing overall securityIn addition to updating the plugin, ensure that all other plugins and themes are up to date, implement strong password policies, and consider using a web application firewall (WAF) to provide an additional layer of security.
How can I report further vulnerabilities?
Responsible disclosureIf you discover additional vulnerabilities, you can report them through the appropriate channels, such as the plugin’s support forum or a dedicated security email address provided by the developers.
Where can I find more information about this vulnerability?
Resources for further readingFor more detailed information, refer to the official CVE database or the plugin’s changelog on its website, which may provide additional context and updates regarding security issues.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
