What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK versions up to 2.10.1, which is included in the Shortcodes Ultimate plugin. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter, potentially executing malicious scripts in the context of a WordPress admin’s browser.

How does the vulnerability work?

The vulnerability occurs due to insufficient input sanitization and output escaping in the ‘class-freemius.php’ file. An attacker can craft a URL that includes a JavaScript payload in the ‘url’ parameter, which gets rendered in an admin notice when a logged-in administrator clicks the link, executing the script in their browser.

Who is affected by this vulnerability?

WordPress installations using the Shortcodes Ultimate plugin with the Freemius SDK version 2.10.1 or earlier are affected. Administrators should check their plugin versions to determine if they are running a vulnerable version.

How can I check if I am using a vulnerable version?

To check if you are using a vulnerable version, navigate to the Plugins section in your WordPress admin dashboard. Look for the Shortcodes Ultimate plugin and verify its version against the patched version, which is 7.3.4.

How can I fix this vulnerability?

To fix this vulnerability, update the Shortcodes Ultimate plugin to version 7.3.4 or later, which includes the patched version of the Freemius SDK. Regularly monitor and apply updates to all plugins to ensure security.

What does the CVSS score of 6.1 mean?

The CVSS score of 6.1 indicates a medium severity level for this vulnerability. It suggests that while the potential impact is significant, it requires user interaction for exploitation, meaning an attacker cannot exploit it without tricking a user into clicking a malicious link.

What are the practical risks of this vulnerability?

If exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript in the context of an administrator’s session. This could lead to actions such as session hijacking, unauthorized plugin installations, or data theft.

What is a proof of concept (PoC) for this vulnerability?

A proof of concept for this vulnerability involves creating a crafted URL that includes a JavaScript payload in the ‘url’ parameter. For example, a URL like ‘/wp-admin/admin.php?page=shortcodes-ultimate&url=javascript:alert(document.domain)’ would execute the alert in the admin’s browser when clicked.

What measures can I take to further secure my WordPress site?

In addition to updating vulnerable plugins, consider implementing security plugins that provide firewalls, monitoring, and additional sanitization. Regularly audit your plugins and themes, and educate users on the risks of clicking unknown links.

How can I stay informed about future vulnerabilities?

Stay informed by subscribing to security mailing lists, following WordPress security blogs, and monitoring the CVE database. Regularly check for updates from plugin developers and apply them promptly.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately change passwords for all accounts, review user activity logs, and consider restoring from a clean backup. Conduct a thorough security audit to identify and mitigate further risks.

Is there a way to report vulnerabilities I find?

Yes, if you discover a vulnerability, you can report it to the plugin developer or use platforms like HackerOne for responsible disclosure. Ensure to provide detailed information to help them understand and address the issue.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (shortcodes-ultimate)

CVE ID CVE-2024-13362

Plugin shortcodes-ultimate

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 7.3.3

Patched Version 7.3.4

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362: A reflected DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Freemius SDK versions up to 2.10.1, which is bundled with the Shortcodes Ultimate plugin. The vulnerability allows an unauthenticated attacker to inject arbitrary web scripts into admin notices, triggered when a victim clicks a crafted link.

The root cause is insufficient input sanitization and output escaping within the `class-freemius.php` file. At line 24011, the `trial_promotion_message` filter passes user-controlled data from the `url` parameter (`$trial_url`) directly into a `

--- a/shortcodes-ultimate/admin/class-shortcodes-ultimate-widget.php
+++ b/shortcodes-ultimate/admin/class-shortcodes-ultimate-widget.php
@@ -12,7 +12,7 @@

 		$widget_ops = array(
 			'classname'   => self::$widget_prefix,
-			'description' => __( 'Shortcodes Ultimate widget', 'shortcodes-ultimate' ),
+			'description' => 'Shortcodes Ultimate widget',
 		);

 		$control_ops = array(
@@ -23,7 +23,7 @@

 		parent::__construct(
 			self::$widget_prefix,
-			__( 'Shortcodes Ultimate', 'shortcodes-ultimate' ),
+			'Shortcodes Ultimate',
 			$widget_ops,
 			$control_ops
 		);
--- a/shortcodes-ultimate/freemius/includes/class-freemius.php
+++ b/shortcodes-ultimate/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25476,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/shortcodes-ultimate/freemius/includes/class-fs-plugin-updater.php
+++ b/shortcodes-ultimate/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/shortcodes-ultimate/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/shortcodes-ultimate/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/shortcodes-ultimate/freemius/includes/entities/class-fs-site.php
+++ b/shortcodes-ultimate/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
--- a/shortcodes-ultimate/freemius/includes/entities/class-fs-user.php
+++ b/shortcodes-ultimate/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/shortcodes-ultimate/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/shortcodes-ultimate/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/shortcodes-ultimate/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/shortcodes-ultimate/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/shortcodes-ultimate/freemius/start.php
+++ b/shortcodes-ultimate/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.10.1';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

--- a/shortcodes-ultimate/includes/shortcodes/lightbox.php
+++ b/shortcodes-ultimate/includes/shortcodes/lightbox.php
@@ -60,10 +60,13 @@
 		'lightbox'
 	);

-	if (
-		!$atts['src']
-		|| strpos(strtolower($atts['src']), 'javascript') !== false
-	) {
+	if ( !$atts['src'] ) {
+		return su_error_message('Lightbox', __('please specify correct source', 'shortcodes-ultimate'));
+	}
+
+	$atts['src'] = su_do_attribute($atts['src'], true);
+
+	if (strpos(strtolower($atts['src']), 'javascript') !== false) {
 		return su_error_message('Lightbox', __('please specify correct source', 'shortcodes-ultimate'));
 	}

@@ -72,6 +75,6 @@
 	su_query_asset('js', 'magnific-popup');
 	su_query_asset('js', 'su-shortcodes');

-	return '<span class="su-lightbox' . su_get_css_class($atts) . '" data-mfp-src="' . su_do_attribute($atts['src']) . '" data-mfp-type="' . sanitize_key($atts['type']) . '" data-mobile="' . sanitize_key($atts['mobile']) . '">' . do_shortcode($content) . '</span>';
+	return '<span class="su-lightbox' . su_get_css_class($atts) . '" data-mfp-src="' . esc_attr($atts['src']) . '" data-mfp-type="' . sanitize_key($atts['type']) . '" data-mobile="' . sanitize_key($atts['mobile']) . '">' . do_shortcode($content) . '</span>';

 }
--- a/shortcodes-ultimate/shortcodes-ultimate.php
+++ b/shortcodes-ultimate/shortcodes-ultimate.php
@@ -8,7 +8,7 @@
  * Description: A comprehensive collection of visual components for WordPress
  * Text Domain: shortcodes-ultimate
  * License: GPLv3
- * Version: 7.3.3
+ * Version: 7.3.4
  * Requires PHP: 5.4
  * Requires at least: 5.0
  * Tested up to: 6.7
@@ -63,6 +63,6 @@
         }
     }
     define( 'SU_PLUGIN_FILE', __FILE__ );
-    define( 'SU_PLUGIN_VERSION', '7.3.3' );
+    define( 'SU_PLUGIN_VERSION', '7.3.4' );
     require_once dirname( __FILE__ ) . '/plugin.php';
 }
 No newline at end of file

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362
# Block reflected XSS via url parameter in Freemius admin notices
# This rule blocks requests to admin pages where the url parameter contains JavaScript payloads
SecRule REQUEST_URI "@rx ^/wp-admin/admin.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius SDK reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_GET:url "@rx [(ja)(vb)][s]*[:]" 
    "t:none,t:urlDecodeUni,t:lowercase,chain"
    SecRule ARGS_GET:page "@rx shortcodes-ultimate" "t:none"

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK versions up to 2.10.1, which is included in the Shortcodes Ultimate plugin. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘url’ parameter, potentially executing malicious scripts in the context of a WordPress admin’s browser.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs due to insufficient input sanitization and output escaping in the ‘class-freemius.php’ file. An attacker can craft a URL that includes a JavaScript payload in the ‘url’ parameter, which gets rendered in an admin notice when a logged-in administrator clicks the link, executing the script in their browser.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress installations using the Shortcodes Ultimate plugin with the Freemius SDK version 2.10.1 or earlier are affected. Administrators should check their plugin versions to determine if they are running a vulnerable version.
How can I check if I am using a vulnerable version?
Verifying plugin versions
To check if you are using a vulnerable version, navigate to the Plugins section in your WordPress admin dashboard. Look for the Shortcodes Ultimate plugin and verify its version against the patched version, which is 7.3.4.
How can I fix this vulnerability?
Steps to mitigate the issue
To fix this vulnerability, update the Shortcodes Ultimate plugin to version 7.3.4 or later, which includes the patched version of the Freemius SDK. Regularly monitor and apply updates to all plugins to ensure security.
What does the CVSS score of 6.1 mean?
Understanding the severity rating
The CVSS score of 6.1 indicates a medium severity level for this vulnerability. It suggests that while the potential impact is significant, it requires user interaction for exploitation, meaning an attacker cannot exploit it without tricking a user into clicking a malicious link.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript in the context of an administrator’s session. This could lead to actions such as session hijacking, unauthorized plugin installations, or data theft.
What is a proof of concept (PoC) for this vulnerability?
Demonstrating the exploit
A proof of concept for this vulnerability involves creating a crafted URL that includes a JavaScript payload in the ‘url’ parameter. For example, a URL like ‘/wp-admin/admin.php?page=shortcodes-ultimate&url=javascript:alert(document.domain)’ would execute the alert in the admin’s browser when clicked.
What measures can I take to further secure my WordPress site?
Additional security practices
In addition to updating vulnerable plugins, consider implementing security plugins that provide firewalls, monitoring, and additional sanitization. Regularly audit your plugins and themes, and educate users on the risks of clicking unknown links.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Stay informed by subscribing to security mailing lists, following WordPress security blogs, and monitoring the CVE database. Regularly check for updates from plugin developers and apply them promptly.
What should I do if I suspect exploitation?
Responding to potential attacks
If you suspect that your site has been exploited, immediately change passwords for all accounts, review user activity logs, and consider restoring from a clean backup. Conduct a thorough security audit to identify and mitigate further risks.
Is there a way to report vulnerabilities I find?
Responsible disclosure
Yes, if you discover a vulnerability, you can report it to the plugin developer or use platforms like HackerOne for responsible disclosure. Ensure to provide detailed information to help them understand and address the issue.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations