What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability in the Freemius SDK, affecting versions up to 2.10.1. It allows unauthenticated attackers to inject arbitrary JavaScript via the URL parameter due to insufficient input sanitization and output escaping.

How does this vulnerability work?

The vulnerability allows attackers to craft malicious URLs containing XSS payloads in the URL parameter. When a victim clicks the link, the Freemius SDK processes the URL without proper sanitization, executing the injected script within the victim’s browser session.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or earlier is potentially affected. This includes numerous plugins and themes that rely on the SDK for functionality, making it important for administrators to check their installed versions.

How can I check if my site is vulnerable?

To check for vulnerability, review the version of the Freemius SDK used by your plugins. You can typically find this in the plugin’s settings or by looking at the plugin files. If the version is 2.10.1 or earlier, your site is vulnerable.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Freemius SDK to version 2.10.2 or later. Ensure that all plugins utilizing the SDK are also updated to their latest versions, as they may contain the patched SDK.

What does a CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This suggests that while the vulnerability requires user interaction to exploit, it can still pose a significant risk, particularly in phishing scenarios targeting site administrators.

What is reflected XSS?

Reflected XSS occurs when an attacker sends a malicious script to a victim via a URL. If the victim clicks the link, the script executes in their browser, allowing the attacker to steal information or perform actions on behalf of the victim.

What is a proof of concept for this vulnerability?

A proof of concept for CVE-2024-13362 could involve a crafted URL such as ‘https://victim-site.com/?url=javascript:alert(document.cookie)’. Clicking this link would execute the JavaScript in the context of the victim’s session, demonstrating the XSS vulnerability.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability could allow attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The impact can be severe, especially if an administrator is tricked into clicking a malicious link.

How does input sanitization relate to this vulnerability?

Input sanitization is crucial in preventing XSS vulnerabilities. In this case, the Freemius SDK failed to properly sanitize the URL parameter, allowing attackers to inject scripts. Proper sanitization would ensure that user input is validated and escaped before being processed.

What should I do after applying the patch?

After applying the patch, monitor your site for any unusual activity and review user access logs. Additionally, educate users about the risks of clicking unknown links to further reduce the risk of exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 9, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (post-slider-and-carousel)

CVE ID CVE-2024-13362

Plugin post-slider-and-carousel

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.2.7

Patched Version 3.2.9

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:

This vulnerability is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK, specifically versions up to 2.10.1. The flaw exists in how the SDK processes the URL parameter without adequate sanitization or output escaping. An unauthenticated attacker can inject arbitrary JavaScript that executes in the context of a victim’s browsing session upon clicking a crafted link. The CVSS score is 6.1 (Medium), reflecting the requirement for user interaction.

The root cause lies in the lack of input sanitization and output escaping for the URL parameter within the Freemius SDK. Although the provided code diff shows numerous changes (new features, parallel activation, cron adjustments, admin menu logic, and template updates), the security fix for this specific CVE is not visually isolated in the truncated diff. However, the vulnerability description clearly states the issue: insufficient sanitization and escaping of the `url` parameter leads to XSS. In typical Freemius usage, this parameter is often processed in JavaScript that constructs DOM elements (e.g., anchor tags or forms) from user-supplied values, making it a classic DOM-based XSS injection point.

To exploit this vulnerability, an attacker crafts a malicious URL containing an XSS payload in the `url` parameter. For example, a link like `https://victim-site.com/?url=javascript:alert(document.cookie)` or a URL with an encoded script tag: `https://victim-site.com/?url=%22%3E%3Cscript%3Ealert(1)%3C/script%3E`. When a logged-in administrator (or any user) clicks this link, the Freemius SDK reads the `url` parameter from the browser’s query string and injects it into the DOM (e.g., as an `href` attribute or inner HTML) without proper encoding. The injected script then executes in the user’s session, allowing the attacker to steal cookies, perform actions on behalf of the victim, or deface the site.

The patch, likely implemented in Freemius SDK version 2.10.2 or later, corrects the vulnerability by adding proper input sanitization and output escaping to the URL parameter handling. Specifically, the code now validates that the URL is a safe, well-formed URI (e.g., using `esc_url()` in WordPress context) and applies context-appropriate escaping (e.g., `esc_attr()` or `esc_js()`) before rendering it in the DOM. The diff also includes numerous other enhancements (parallel activation support, improved admin menu logic, new cron scheduling, sandbox environment detection, and PHP 8.2 compatibility fixes), but the core XSS fix focuses on securing the URL parameter processing. Before the patch, the SDK directly interpolated user input into HTML/JavaScript contexts without sanitization, allowing script injection. After the patch, input validation and escaping prevent malicious code from executing.

If exploited, this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript in the browser session of a victim who clicks a crafted link. The impact is consistent with reflected XSS: attackers can steal session cookies, perform unauthorized actions (e.g., creating admin accounts, modifying plugin settings), redirect users to malicious sites, or inject keyloggers. Because the attack requires user interaction (clicking a link), it is often used in phishing campaigns against site administrators. The scope is limited to the affected plugin/theme that embeds the vulnerable Freemius SDK version; however, given Freemius’s widespread use (thousands of WordPress plugins), the potential blast radius is significant.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/post-slider-and-carousel/freemius/includes/class-freemius.php
+++ b/post-slider-and-carousel/freemius/includes/class-freemius.php
@@ -110,6 +110,12 @@
         private $_enable_anonymous = true;

         /**
+         * @since 2.9.1
+         * @var string|null Hints the SDK whether the plugin supports parallel activation mode, preventing the auto-deactivation of the free version when the premium version is activated, and vice versa.
+         */
+        private $_premium_plugin_basename_from_parallel_activation;
+
+        /**
          * @since 1.1.7.5
          * @var bool Hints the SDK if plugin should run in anonymous mode (only adds feedback form).
          */
@@ -1651,6 +1657,31 @@
                     );
                 }
             }
+
+            if (
+                $this->is_user_in_admin() &&
+                $this->is_parallel_activation() &&
+                $this->_premium_plugin_basename !== $this->_premium_plugin_basename_from_parallel_activation
+            ) {
+                $this->_premium_plugin_basename = $this->_premium_plugin_basename_from_parallel_activation;
+
+                register_activation_hook(
+                    dirname( $this->_plugin_dir_path ) . '/' . $this->_premium_plugin_basename,
+                    array( &$this, '_activate_plugin_event_hook' )
+                );
+            }
+        }
+
+        /**
+         * Determines if a plugin is running in parallel activation mode.
+         *
+         * @author Leo Fajardo (@leorw)
+         * @since 2.9.1
+         *
+         * @return bool
+         */
+        private function is_parallel_activation() {
+            return ! empty( $this->_premium_plugin_basename_from_parallel_activation );
         }

         /**
@@ -5155,11 +5186,35 @@
                 $this->_plugin :
                 new FS_Plugin();

+            $is_premium     = $this->get_bool_option( $plugin_info, 'is_premium', true );
             $premium_suffix = $this->get_option( $plugin_info, 'premium_suffix', '(Premium)' );

+            $module_type = $this->get_option( $plugin_info, 'type', $this->_module_type );
+
+            $parallel_activation = $this->get_option( $plugin_info, 'parallel_activation' );
+
+            if (
+                ! $is_premium &&
+                is_array( $parallel_activation ) &&
+                ( WP_FS__MODULE_TYPE_PLUGIN === $module_type ) &&
+                $this->get_bool_option( $parallel_activation, 'enabled' )
+            ) {
+                $premium_basename = $this->get_option( $parallel_activation, 'premium_version_basename' );
+
+                if ( empty( $premium_basename ) ) {
+                    throw new Exception('You need to specify the premium version basename to enable parallel version activation.');
+                }
+
+                $this->_premium_plugin_basename_from_parallel_activation = $premium_basename;
+
+                if ( is_plugin_active( $premium_basename ) ) {
+                    $is_premium = true;
+                }
+            }
+
             $plugin->update( array(
                 'id'                   => $id,
-                'type'                 => $this->get_option( $plugin_info, 'type', $this->_module_type ),
+                'type'                 => $module_type,
                 'public_key'           => $public_key,
                 'slug'                 => $this->_slug,
                 'premium_slug'         => $this->get_option( $plugin_info, 'premium_slug', "{$this->_slug}-premium" ),
@@ -5167,7 +5222,7 @@
                 'version'              => $this->get_plugin_version(),
                 'title'                => $this->get_plugin_name( $premium_suffix ),
                 'file'                 => $this->_plugin_basename,
-                'is_premium'           => $this->get_bool_option( $plugin_info, 'is_premium', true ),
+                'is_premium'           => $is_premium,
                 'premium_suffix'       => $premium_suffix,
                 'is_live'              => $this->get_bool_option( $plugin_info, 'is_live', true ),
                 'affiliate_moderation' => $this->get_option( $plugin_info, 'has_affiliation' ),
@@ -5236,7 +5291,14 @@
                 $this->_anonymous_mode   = false;
             } else {
                 $this->_enable_anonymous = $this->get_bool_option( $plugin_info, 'enable_anonymous', true );
-                $this->_anonymous_mode   = $this->get_bool_option( $plugin_info, 'anonymous_mode', false );
+                $this->_anonymous_mode   = (
+                    $this->get_bool_option( $plugin_info, 'anonymous_mode', false ) ||
+                    (
+                        $this->apply_filters( 'playground_anonymous_mode', true ) &&
+                        ! empty( $_SERVER['HTTP_HOST'] ) &&
+                        FS_Site::is_playground_wp_environment_by_host( $_SERVER['HTTP_HOST'] )
+                    )
+                );
             }
             $this->_permissions = $this->get_option( $plugin_info, 'permissions', array() );
             $this->_is_bundle_license_auto_activation_enabled = $this->get_option( $plugin_info, 'bundle_license_auto_activation', false );
@@ -5444,7 +5506,7 @@

             if ( $this->is_registered() ) {
                 // Schedule code type changes event.
-                $this->schedule_install_sync();
+                $this->maybe_schedule_install_sync_cron();
             }

             /**
@@ -6508,6 +6570,33 @@
         }

         /**
+         * Instead of running blocking install sync event, execute non blocking scheduled cron job.
+         *
+         * @param int $except_blog_id Since 2.0.0 when running in a multisite network environment, the cron execution is consolidated. This param allows excluding specified blog ID from being the cron job executor.
+         *
+         * @author Leo Fajardo (@leorw)
+         * @since  2.9.1
+         */
+        private function maybe_schedule_install_sync_cron( $except_blog_id = 0 ) {
+            if ( ! $this->is_user_in_admin() ) {
+                return;
+            }
+
+            if ( $this->is_clone() ) {
+                return;
+            }
+
+            if (
+                // The event has been properly scheduled, so no need to reschedule it.
+                is_numeric( $this->next_install_sync() )
+            ) {
+                return;
+            }
+
+            $this->schedule_cron( 'install_sync', 'install_sync', 'single', WP_FS__SCRIPT_START_TIME, false, $except_blog_id );
+        }
+
+        /**
          * @author Vova Feldman (@svovaf)
          * @since  1.1.7.3
          *
@@ -6605,22 +6694,6 @@
         }

         /**
-         * Instead of running blocking install sync event, execute non blocking scheduled wp-cron.
-         *
-         * @author Vova Feldman (@svovaf)
-         * @since  1.1.7.3
-         *
-         * @param int $except_blog_id Since 2.0.0 when running in a multisite network environment, the cron execution is consolidated. This param allows excluding excluded specified blog ID from being the cron executor.
-         */
-        private function schedule_install_sync( $except_blog_id = 0 ) {
-            if ( $this->is_clone() ) {
-                return;
-            }
-
-            $this->schedule_cron( 'install_sync', 'install_sync', 'single', WP_FS__SCRIPT_START_TIME, false, $except_blog_id );
-        }
-
-        /**
          * Unix timestamp for previous install sync cron execution or false if never executed.
          *
          * @todo   There's some very strange bug that $this->_storage->install_sync_timestamp value is not being updated. But for sure the sync event is working.
@@ -7411,7 +7484,7 @@
                  */
                 if (
                     is_plugin_active( $other_version_basename ) &&
-                    $this->apply_filters( 'deactivate_on_activation', true )
+                    $this->apply_filters( 'deactivate_on_activation', ! $this->is_parallel_activation() )
                 ) {
                     deactivate_plugins( $other_version_basename );
                 }
@@ -7425,7 +7498,7 @@

                 // Schedule re-activation event and sync.
 //				$this->sync_install( array(), true );
-                $this->schedule_install_sync();
+                $this->maybe_schedule_install_sync_cron();

                 // If activating the premium module version, add an admin notice to congratulate for an upgrade completion.
                 if ( $is_premium_version_activation ) {
@@ -8616,7 +8689,7 @@
                 return;
             }

-            $this->schedule_install_sync();
+            $this->maybe_schedule_install_sync_cron();
 //			$this->sync_install( array(), true );
         }

@@ -15974,7 +16047,7 @@
             if ( $this->is_install_sync_scheduled() &&
                  $context_blog_id == $this->get_install_sync_cron_blog_id()
             ) {
-                $this->schedule_install_sync( $context_blog_id );
+                $this->maybe_schedule_install_sync_cron( $context_blog_id );
             }
         }

@@ -23927,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25403,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/post-slider-and-carousel/freemius/includes/class-fs-plugin-updater.php
+++ b/post-slider-and-carousel/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/post-slider-and-carousel/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/post-slider-and-carousel/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/post-slider-and-carousel/freemius/includes/entities/class-fs-site.php
+++ b/post-slider-and-carousel/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
@@ -190,7 +190,7 @@
                 fs_ends_with( $subdomain, '.cloudwaysapps.com' ) ||
                 // Kinsta
                 (
-                    ( fs_starts_with( $subdomain, 'staging-' ) || fs_starts_with( $subdomain, 'env-' ) ) &&
+                    ( fs_starts_with( $subdomain, 'stg-' ) ||  fs_starts_with( $subdomain, 'staging-' ) || fs_starts_with( $subdomain, 'env-' ) ) &&
                     ( fs_ends_with( $subdomain, '.kinsta.com' ) || fs_ends_with( $subdomain, '.kinsta.cloud' ) )
                 ) ||
                 // DesktopServer
@@ -208,6 +208,40 @@
             );
         }

+        /**
+         * @author Leo Fajardo (@leorw)
+         * @since  2.9.1
+         *
+         * @param string $host
+         *
+         * @return bool
+         */
+        static function is_playground_wp_environment_by_host( $host ) {
+            // Services aimed at providing a WordPress sandbox environment.
+            $sandbox_wp_environment_domains = array(
+                // InstaWP
+                'instawp.xyz',
+
+                // TasteWP
+                'tastewp.com',
+
+                // WordPress Playground
+                'playground.wordpress.net',
+            );
+
+            foreach ( $sandbox_wp_environment_domains as $domain) {
+                if (
+                    ( $host === $domain ) ||
+                    fs_ends_with( $host, '.' . $domain ) ||
+                    fs_ends_with( $host, '-' . $domain )
+                ) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
         function is_localhost() {
             return ( WP_FS__IS_LOCALHOST_FOR_SERVER || self::is_localhost_by_address( $this->url ) );
         }
--- a/post-slider-and-carousel/freemius/includes/entities/class-fs-user.php
+++ b/post-slider-and-carousel/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/post-slider-and-carousel/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/post-slider-and-carousel/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/post-slider-and-carousel/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/post-slider-and-carousel/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/post-slider-and-carousel/freemius/start.php
+++ b/post-slider-and-carousel/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.9.0';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

@@ -36,7 +36,16 @@
 		require_once dirname( __FILE__ ) . '/includes/fs-essential-functions.php';
 	}

-	/**
+    /**
+     * We updated the logic to support SDK loading from a subfolder of a theme as well as from a parent theme
+     * If the SDK is found in the active theme, it sets the relative path accordingly.
+     * If not, it checks the parent theme and sets the relative path if found there.
+     * This allows the SDK to be loaded from composer dependencies or from a custom `vendor/freemius` folder.
+     *
+     * @author Daniele Alessandra (@DanieleAlessandra)
+     * @since  2.9.0.5
+     *
+     *
 	 * This complex logic fixes symlink issues (e.g. with Vargant). The logic assumes
 	 * that if it's a file from an SDK running in a theme, the location of the SDK
 	 * is in the main theme's folder.
@@ -83,16 +92,50 @@
      */
 	$themes_directory         = get_theme_root( get_stylesheet() );
 	$themes_directory_name    = basename( $themes_directory );
-	$theme_candidate_basename = basename( dirname( $fs_root_path ) ) . '/' . basename( $fs_root_path );

-	if ( $file_path == fs_normalize_path( realpath( trailingslashit( $themes_directory ) . $theme_candidate_basename . '/' . basename( $file_path ) ) )
-	) {
-		$this_sdk_relative_path = '../' . $themes_directory_name . '/' . $theme_candidate_basename;
-		$is_theme               = true;
-	} else {
-		$this_sdk_relative_path = plugin_basename( $fs_root_path );
-		$is_theme               = false;
-	}
+    // This change ensures that the condition works even if the SDK is located in a subdirectory (e.g., vendor)
+    $theme_candidate_sdk_basename = str_replace( $themes_directory . '/' . get_stylesheet() . '/', '', $fs_root_path );
+
+    // Check if the current file is part of the active theme.
+    $is_current_sdk_from_active_theme = $file_path == $themes_directory . '/' . get_stylesheet() . '/' . $theme_candidate_sdk_basename . '/' . basename( $file_path );
+    $is_current_sdk_from_parent_theme = false;
+
+    // Check if the current file is part of the parent theme.
+    if ( ! $is_current_sdk_from_active_theme ) {
+        $theme_candidate_sdk_basename     = str_replace( $themes_directory . '/' . get_template() . '/',
+            '',
+            $fs_root_path );
+        $is_current_sdk_from_parent_theme = $file_path == $themes_directory . '/' . get_template() . '/' . $theme_candidate_sdk_basename . '/' . basename( $file_path );
+    }
+
+    $theme_name = null;
+    if ( $is_current_sdk_from_active_theme ) {
+        $theme_name             = get_stylesheet();
+        $this_sdk_relative_path = '../' . $themes_directory_name . '/' . $theme_name . '/' . $theme_candidate_sdk_basename;
+        $is_theme               = true;
+    } else if ( $is_current_sdk_from_parent_theme ) {
+        $theme_name             = get_template();
+        $this_sdk_relative_path = '../' . $themes_directory_name . '/' . $theme_name . '/' . $theme_candidate_sdk_basename;
+        $is_theme               = true;
+    } else {
+        $this_sdk_relative_path = plugin_basename( $fs_root_path );
+        $is_theme               = false;
+
+        /**
+         * If this file was included from another plugin with lower SDK version, and if this plugin is symlinked, then we need to get the actual plugin path,
+         * as the value right now will be wrong, it will only remove the directory separator from the file_path.
+         *
+         * The check of `fs_find_direct_caller_plugin_file` determines that this file was indeed included by a different plugin than the main plugin.
+         */
+        if ( DIRECTORY_SEPARATOR . $this_sdk_relative_path === $fs_root_path && function_exists( 'fs_find_direct_caller_plugin_file' ) ) {
+            $original_plugin_dir_name = dirname( fs_find_direct_caller_plugin_file( $file_path ) );
+
+            // Remove everything before the original plugin directory name.
+            $this_sdk_relative_path = substr( $this_sdk_relative_path, strpos( $this_sdk_relative_path, $original_plugin_dir_name ) );
+
+            unset( $original_plugin_dir_name );
+        }
+    }

 	if ( ! isset( $fs_active_plugins ) ) {
 		// Load all Freemius powered active plugins.
@@ -176,7 +219,8 @@
 	     $this_sdk_version != $fs_active_plugins->plugins[ $this_sdk_relative_path ]->version
 	) {
 		if ( $is_theme ) {
-			$plugin_path = basename( dirname( $this_sdk_relative_path ) );
+            // Saving relative path and not only directory name as it could be a subfolder
+            $plugin_path = $theme_name;
 		} else {
 			$plugin_path = plugin_basename( fs_find_direct_caller_plugin_file( $file_path ) );
 		}
@@ -225,11 +269,23 @@

 		$is_newest_sdk_type_theme = ( isset( $fs_newest_sdk->type ) && 'theme' === $fs_newest_sdk->type );

-		if ( ! $is_newest_sdk_type_theme ) {
-			$is_newest_sdk_plugin_active = is_plugin_active( $fs_newest_sdk->plugin_path );
-		} else {
-			$current_theme               = wp_get_theme();
-			$is_newest_sdk_plugin_active = ( $current_theme->stylesheet === $fs_newest_sdk->plugin_path );
+        /**
+         * @var bool $is_newest_sdk_module_active
+         * True if the plugin with the newest SDK is active.
+         * True if the newest SDK is part of the current theme or current theme's parent.
+         * False otherwise.
+         */
+        if ( ! $is_newest_sdk_type_theme ) {
+            $is_newest_sdk_module_active = is_plugin_active( $fs_newest_sdk->plugin_path );
+        } else {
+            $current_theme = wp_get_theme();
+            // Detect if current theme is the one registered as newer SDK
+            $is_newest_sdk_module_active = (
+                strpos(
+                    $fs_newest_sdk->plugin_path,
+                    '../' . $themes_directory_name . '/' . $current_theme->get_stylesheet() . '/'
+                ) === 0
+            );

             $current_theme_parent = $current_theme->parent();

@@ -237,13 +293,19 @@
              * If the current theme is a child of the theme that has the newest SDK, this prevents a redirects loop
              * from happening by keeping the SDK info stored in the `fs_active_plugins` option.
              */
-            if ( ! $is_newest_sdk_plugin_active && $current_theme_parent instanceof WP_Theme ) {
-                $is_newest_sdk_plugin_active = ( $fs_newest_sdk->plugin_path === $current_theme_parent->stylesheet );
+            if ( ! $is_newest_sdk_module_active && $current_theme_parent instanceof WP_Theme ) {
+                // Detect if current theme parent is the one registered as newer SDK
+                $is_newest_sdk_module_active = (
+                    strpos(
+                        $fs_newest_sdk->plugin_path,
+                        '../' . $themes_directory_name . '/' . $current_theme_parent->get_stylesheet() . '/'
+                    ) === 0
+                );
             }
 		}

 		if ( $is_current_sdk_newest &&
-		     ! $is_newest_sdk_plugin_active &&
+		     ! $is_newest_sdk_module_active &&
 		     ! $fs_active_plugins->newest->in_activation
 		) {
 			// If current SDK is the newest and the plugin is NOT active, it means
@@ -262,14 +324,14 @@
 				. '/start.php' );
 		}

-		$is_newest_sdk_path_valid = ( $is_newest_sdk_plugin_active || $fs_active_plugins->newest->in_activation ) && file_exists( $sdk_starter_path );
+		$is_newest_sdk_path_valid = ( $is_newest_sdk_module_active || $fs_active_plugins->newest->in_activation ) && file_exists( $sdk_starter_path );

 		if ( ! $is_newest_sdk_path_valid && ! $is_current_sdk_newest ) {
 			// Plugin with newest SDK is no longer active, or SDK was moved to a different location.
 			unset( $fs_active_plugins->plugins[ $fs_active_plugins->newest->sdk_path ] );
 		}

-		if ( ! ( $is_newest_sdk_plugin_active || $fs_active_plugins->newest->in_activation ) ||
+		if ( ! ( $is_newest_sdk_module_active || $fs_active_plugins->newest->in_activation ) ||
 		     ! $is_newest_sdk_path_valid ||
 		     // Is newest SDK downgraded.
 		     ( $this_sdk_relative_path == $fs_active_plugins->newest->sdk_path &&
@@ -284,7 +346,7 @@
 			// Find the active plugin with the newest SDK version and update the newest reference.
 			fs_fallback_to_newest_active_sdk();
 		} else {
-			if ( $is_newest_sdk_plugin_active &&
+			if ( $is_newest_sdk_module_active &&
 			     $this_sdk_relative_path == $fs_active_plugins->newest->sdk_path &&
 			     ( $fs_active_plugins->newest->in_activation ||
 			       ( class_exists( 'Freemius' ) && ( ! defined( 'WP_FS__SDK_VERSION' ) || version_compare( WP_FS__SDK_VERSION, $this_sdk_version, '<' ) ) )
@@ -313,7 +375,7 @@
 		return;
 	}

-	if ( version_compare( $this_sdk_version, $fs_active_plugins->newest->version, '<' ) ) {
+	if ( isset( $fs_active_plugins->newest ) && version_compare( $this_sdk_version, $fs_active_plugins->newest->version, '<' ) ) {
 		$newest_sdk = $fs_active_plugins->plugins[ $fs_active_plugins->newest->sdk_path ];

 		$plugins_or_theme_dir_path = ( ! isset( $newest_sdk->type ) || 'theme' !== $newest_sdk->type ) ?
--- a/post-slider-and-carousel/freemius/templates/forms/license-activation.php
+++ b/post-slider-and-carousel/freemius/templates/forms/license-activation.php
@@ -569,7 +569,7 @@
 				        licenseKey = $otherLicenseKey.val();
                     } else {
 				        if ( ! hasLicensesDropdown ) {
-                            licenseID = $availableLicenseKey.data( 'id' );
+                            licenseID = $availableLicenseKey.data( 'id' ).toString();
                         } else {
                             licenseID = $licensesDropdown.val();
                         }
--- a/post-slider-and-carousel/freemius/templates/pricing.php
+++ b/post-slider-and-carousel/freemius/templates/pricing.php
@@ -69,6 +69,11 @@

     wp_enqueue_script( 'freemius-pricing', $pricing_js_url );

+    $pricing_css_path = $fs->apply_filters( 'pricing/css_path', null );
+    if ( is_string( $pricing_css_path ) ) {
+        wp_enqueue_style( 'freemius-pricing', fs_asset_url( $pricing_css_path ) );
+    }
+
 	$has_tabs = $fs->_add_tabs_before_content();

 	if ( $has_tabs ) {
@@ -95,6 +100,8 @@
             'unique_affix'           => $fs->get_unique_affix(),
             'show_annual_in_monthly' => $fs->apply_filters( 'pricing/show_annual_in_monthly', true ),
             'license'                => $fs->has_active_valid_license() ? $fs->_get_license() : null,
+            'plugin_icon'            => $fs->get_local_icon_url(),
+            'disable_single_package' => $fs->apply_filters( 'pricing/disable_single_package', false ),
         ), $query_params );

         wp_add_inline_script( 'freemius-pricing', 'Freemius.pricing.new( ' . json_encode( $pricing_config ) . ' )' );
--- a/post-slider-and-carousel/post-slider-and-carousel.php
+++ b/post-slider-and-carousel/post-slider-and-carousel.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: Post Slider and Carousel with Widget
  * Plugin URI: https://demo.infornweb.com/post-slider-and-carousel/
- * Version: 3.2.7
+ * Version: 3.2.9
  * Description: Posts Slider or Post Carousel add WordPress posts in slider & carousel layouts on your WordPress website. Also added Latest/Recent vertical post scrolling widget.
  * Text Domain: post-slider-and-carousel
  * Domain Path: /languages/
@@ -27,7 +27,7 @@
  * @since 1.0.0
  */
 if( !defined( 'PSAC_VERSION' ) ) {
-	define( 'PSAC_VERSION', '3.2.7' ); // Version of plugin
+	define( 'PSAC_VERSION', '3.2.9' ); // Version of plugin
 }
 if( !defined( 'PSAC_DIR' ) ) {
 	define( 'PSAC_DIR', dirname( __FILE__ ) ); // Plugin dir
@@ -112,20 +112,24 @@
 }

 /**
- * Function to run after all plugins have loaded
+ * Prior Init Processes
  *
- * @package Post Slider and Carousel
- * @since 1.0.0
+ * @since 3.2.8
  */
-function psac_plugins_loaded() {
-
+function psac_init_processes() {
+
+	// Load Plugin Textdomain
 	psac_load_textdomain();
-
+
+	/*
+	 * Plugin Menu Name just to check the screen ID to load condition based assets
+	 * This var is not going to be echo anywhere. `sanitize_title` will take care of string.
+	 */
 	if( ! defined( 'PSAC_SCREEN_ID' ) ) {
 		define( 'PSAC_SCREEN_ID', sanitize_title(__('Post Slider and Carousel', 'post-slider-and-carousel')) );
 	}
 }
-add_action('plugins_loaded', 'psac_plugins_loaded');
+add_action( 'init', 'psac_init_processes' );

 // Including freemius file
 include_once( PSAC_DIR . '/freemius.php' );

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability in the Freemius SDK, affecting versions up to 2.10.1. It allows unauthenticated attackers to inject arbitrary JavaScript via the URL parameter due to insufficient input sanitization and output escaping.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to craft malicious URLs containing XSS payloads in the URL parameter. When a victim clicks the link, the Freemius SDK processes the URL without proper sanitization, executing the injected script within the victim’s browser session.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius SDK version 2.10.1 or earlier is potentially affected. This includes numerous plugins and themes that rely on the SDK for functionality, making it important for administrators to check their installed versions.
How can I check if my site is vulnerable?
Verifying your Freemius SDK version
To check for vulnerability, review the version of the Freemius SDK used by your plugins. You can typically find this in the plugin’s settings or by looking at the plugin files. If the version is 2.10.1 or earlier, your site is vulnerable.
How can I fix or mitigate this issue?
Applying the necessary updates
To mitigate this vulnerability, update the Freemius SDK to version 2.10.2 or later. Ensure that all plugins utilizing the SDK are also updated to their latest versions, as they may contain the patched SDK.
What does a CVSS score of 6.1 mean?
Interpreting the severity rating
A CVSS score of 6.1 indicates a medium severity vulnerability. This suggests that while the vulnerability requires user interaction to exploit, it can still pose a significant risk, particularly in phishing scenarios targeting site administrators.
What is reflected XSS?
Understanding the type of attack
Reflected XSS occurs when an attacker sends a malicious script to a victim via a URL. If the victim clicks the link, the script executes in their browser, allowing the attacker to steal information or perform actions on behalf of the victim.
What is a proof of concept for this vulnerability?
Demonstrating the exploit
A proof of concept for CVE-2024-13362 could involve a crafted URL such as ‘https://victim-site.com/?url=javascript:alert(document.cookie)’. Clicking this link would execute the JavaScript in the context of the victim’s session, demonstrating the XSS vulnerability.
What are the potential impacts of this vulnerability?
Risks associated with exploitation
If exploited, this vulnerability could allow attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The impact can be severe, especially if an administrator is tricked into clicking a malicious link.
How does input sanitization relate to this vulnerability?
Importance of secure coding practices
Input sanitization is crucial in preventing XSS vulnerabilities. In this case, the Freemius SDK failed to properly sanitize the URL parameter, allowing attackers to inject scripts. Proper sanitization would ensure that user input is validated and escaped before being processed.
What should I do after applying the patch?
Post-update best practices
After applying the patch, monitor your site for any unusual activity and review user access logs. Additionally, educate users about the risks of clicking unknown links to further reduce the risk of exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations