What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK used by multiple WordPress plugins, including wc-cashapp. It allows unauthenticated attackers to inject arbitrary JavaScript into pages by exploiting insufficient input sanitization of the ‘url’ parameter.

How does this vulnerability work?

The vulnerability occurs when the ‘url’ parameter is directly used in JavaScript without proper sanitization. An attacker can craft a malicious link containing a JavaScript payload, which executes when a logged-in administrator clicks the link, potentially compromising the site.

Who is affected by this vulnerability?

Any WordPress site using the Freemius SDK version 2.10.1 or earlier, particularly those with the wc-cashapp plugin version 6.0.2 or earlier, is affected. Site administrators should check their plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the wc-cashapp plugin installed on your WordPress site. If it is version 6.0.2 or earlier, you are at risk and should take immediate action to update.

How can I fix this vulnerability?

The vulnerability can be fixed by updating the wc-cashapp plugin to version 6.0.3.1 or later, which includes a patch for this issue. Additionally, ensure that the Freemius SDK is updated to version 2.10.2 or later.

What does the CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity risk. This means that while the vulnerability is not critical, it poses a significant threat, especially if exploited by an attacker with access to a logged-in administrator’s session.

What is reflected DOM-based XSS?

Reflected DOM-based XSS is a type of cross-site scripting where the injected script is reflected off a web server, typically through a URL parameter. The script executes in the user’s browser as soon as they visit the crafted URL, without being stored on the server.

Can this vulnerability be exploited without authentication?

The vulnerability can be exploited without authentication, but the attack requires the victim to be a logged-in administrator. The attacker must trick the administrator into clicking a malicious link for the exploit to succeed.

What are the potential impacts of this vulnerability?

If successfully exploited, an attacker could execute arbitrary JavaScript in the context of the WordPress admin dashboard. This could allow them to steal session cookies, perform unauthorized actions, or redirect users to malicious sites.

What should I do if I cannot update my plugin immediately?

If immediate updating is not possible, consider disabling the affected plugin until a patch can be applied. Additionally, monitor your site for any suspicious activity and educate users about the risks of clicking unknown links.

Where can I find more information about this vulnerability?

Further information about CVE-2024-13362 can be found on the National Vulnerability Database (NVD) or security advisories from the plugin developers. Staying informed through security blogs and forums can also provide updates and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 10, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wc-cashapp)

Q: What is a proof of concept for this vulnerability?

A proof of concept for this vulnerability could involve crafting a URL such as ‘https://target.com/wp-admin/admin.php?page=freemius-connect&url=javascript:alert(1)’. When an administrator clicks this link, the JavaScript payload executes, demonstrating the vulnerability.

CVE ID CVE-2024-13362

Plugin wc-cashapp

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 6.0.2

Patched Version 6.0.3.1

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362:

This vulnerability is a reflected DOM-based cross-site scripting (XSS) issue found in multiple plugins and themes using the Freemius SDK version 2.10.1 and earlier. The flaw exists because the ‘url’ parameter is not properly sanitized or escaped before being used in JavaScript contexts. An unauthenticated attacker can craft a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the browser. The CVSS score is 6.1 (Medium), indicating a significant but not critical risk.

Root Cause: The Freemius SDK’s connect page (typically located at /wp-admin/admin.php?page=freemius-connect) expects a ‘url’ parameter that is used to redirect the user after authentication. In the vulnerable code, this parameter is retrieved directly from the request and echoed into JavaScript without any sanitization or encoding. This allows an attacker to inject script tags or event handlers. The specific code path is in the Freemius SDK file connect.php (or similar) where the value of $_GET[‘url’] is used unsafely. The diff is not from the Freemius SDK itself but from a plugin that uses it; the vulnerability is in how the ‘url’ parameter is handled in the Freemius SDK’s JavaScript code.

Exploitation: An attacker can craft a URL such as: https://target.com/wp-admin/admin.php?page=freemius-connect&url=javascript:alert(1). When the victim administrator clicks this link and the page loads, the JavaScript payload executes in the context of the admin dashboard. No authentication is required for the victim to trigger the XSS, but the victim must be logged into WordPress as an administrator for the payload to have high impact. The attack vector is a reflected XSS, meaning the payload is in the URL and executes immediately upon page load.

Patch Analysis: The patch (not shown in this diff but typical for Freemius SDK v2.10.2) applies proper escaping using esc_url_raw() or similar before outputting the URL parameter into JavaScript. For example, the vulnerable code echo “var url = ‘” . $_GET[‘url’] . “‘;”; becomes echo “var url = ‘” . esc_url_raw($_GET[‘url’]) . “‘;”; This prevents script injection by encoding or stripping unsafe characters. The plugin diffs shown indicate other XSS fixes in the CashApp plugin, but the core Freemius SDK vulnerability is patched in the SDK update.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. This can be used to steal session cookies, perform administrative actions on behalf of the victim (e.g., create new admin users, modify site content, install malicious plugins), or redirect users to phishing pages. The impact is high because the attacker gains full administrative control over the WordPress site.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wc-cashapp/cashapp.php
+++ b/wc-cashapp/cashapp.php
@@ -6,12 +6,12 @@
 Description: The #1 finance app in the App Store now on WordPress. Receive Cash App payments on your website with WooCommerce + Cash App
 Author: The African Boss
 Author URI: https://theafricanboss.com
-Version: 6.0.2
+Version: 6.0.3.1
 Requires PHP: 5.0
 Requires at least: 5.0
-Tested up to: 6.6.2
+Tested up to: 6.7.1
 WC requires at least: 6.0.0
-WC tested up to: 9.3.3
+WC tested up to: 9.4.2
 Text Domain: wc-cashapp
 Domain Path: languages
 Created: 2020
@@ -94,7 +94,7 @@
         require_once WCCASHAPP_PLUGIN_DIR . 'includes/notifications/woocommerce.php';
     }
     // translations
-    add_action( 'plugins_loaded', function () {
+    add_action( 'init', function () {
         load_plugin_textdomain( WCCASHAPP_PLUGIN_TEXT_DOMAIN, false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );
     } );
     if ( is_admin() ) {
--- a/wc-cashapp/includes/admin/square-redirect.php
+++ b/wc-cashapp/includes/admin/square-redirect.php
@@ -1,15 +1,13 @@
 <?php if ( ! defined( 'ABSPATH' ) ) { exit; }

 $action = 'wc_cash_app_pay_connect';
-$nonce = urldecode($_REQUEST['_wpnonce']) ?? urldecode($_GET['_wpnonce']);
+$nonce = isset($_REQUEST['_wpnonce']) ? esc_html(urldecode($_REQUEST['_wpnonce'])) : esc_html(urldecode($_GET['_wpnonce']));

-$oauth = isset($_REQUEST['oauth']) ? urldecode($_REQUEST['oauth']) : (isset($_GET['oauth']) ? urldecode($_GET['oauth']) : null);
+$oauth = isset($_REQUEST['oauth']) ? esc_html(urldecode($_REQUEST['oauth'])) : (isset($_GET['oauth']) ? esc_html(urldecode($_GET['oauth'])) : null);
 parse_str($oauth, $parsed);

 if ( ! isset( $nonce ) || wp_verify_nonce( $nonce, $action ) === false ) {
-    wp_die( "Invalid nonce. $nonce<br>" .
-    var_export( $parsed, true ) .
-      "<p>Unable to get Square Tokens for Cash App Pay</p>");
+    wp_die( wp_kses_post("Invalid nonce. $nonce<br>" . var_export( $parsed, true ) . "<p>Unable to get Square Tokens for Cash App Pay</p>") );
 }

 $html = '<div class="wrap">';
--- a/wc-cashapp/includes/admin/square.php
+++ b/wc-cashapp/includes/admin/square.php
@@ -1,6 +1,6 @@
 <?php if ( ! defined( 'ABSPATH' ) ) { exit; }

-$redirect = urlencode( $_SERVER['REQUEST_URI'] );
+$redirect = esc_url(urlencode( $_SERVER['REQUEST_URI'] ));
 $next_renewal = gmdate("F jS, Y g:i a", wp_next_scheduled( 'wc_cashapp_square_renewal_token_cron_hook' ));

 $gateway = new WC_Cash_App_Pay_Gateway();
--- a/wc-cashapp/includes/class-wc_cashapp_square.php
+++ b/wc-cashapp/includes/class-wc_cashapp_square.php
@@ -1,6 +1,7 @@
 <?php if ( ! defined( 'ABSPATH' ) ) { exit; }

 if ( !class_exists( 'WC_Cashapp_Square' ) && class_exists( 'WC_Cash_App_Pay_Gateway' ) ):
+#[AllowDynamicProperties]
 class WC_Cashapp_Square extends WC_Cash_App_Pay_Gateway {

   function register() {
@@ -25,20 +26,20 @@
       $access_token = esc_html( $_POST['access_token'] );
       $refresh_token = esc_html( $_POST['refresh_token'] );

-      $referer = wp_kses_post(urldecode( $_POST['_wp_http_referer'] ));
+      $referer = esc_html(urldecode( $_POST['_wp_http_referer'] ));
       $html = '<div class="wrap"><div style="padding: 10rem">' ;

       if ( !wp_verify_nonce( $_POST['save_live_square_env_nonce'], 'save_live_square_env' ) ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Invalid nonce</h1>' . var_export( $_POST, true ) );
+  <h1>Invalid nonce</h1>' . var_export( $_POST, true ) ));
       }
       if ( !$referer ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Missing target</h1>' . var_export( $_POST, true ) );
+  <h1>Missing target</h1>' . var_export( $_POST, true ) ));
       }

       $this->update_option( 'SQ_Merchant_Id', $merchant_id );
@@ -64,28 +65,28 @@
   }

   function wc_cashapp_revoke_square_token() {
-      $referer = wp_kses_post(urldecode( $_POST['_wp_http_referer'] ));
+      $referer = esc_html(urldecode( $_POST['_wp_http_referer'] ));
       $html = '<div class="wrap"><div style="padding: 10rem">' ;

       if ( !wp_verify_nonce( $_POST['revoke_square_token_nonce'], 'revoke_square_token' ) ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Invalid nonce</h1>' . var_export( $_POST, true ) );
+  <h1>Invalid nonce</h1>' . var_export( $_POST, true ) ));
       }
       if ( !$referer ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Missing target</h1>' . var_export( $_POST, true ) );
+  <h1>Missing target</h1>' . var_export( $_POST, true ) ));
       }

       $access_token = $this->SQ_Access_Token;
       if ( !$access_token ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Missing access token</h1>' . var_export( $_POST, true ) );
+  <h1>Missing access token</h1>' . var_export( $_POST, true ) ));
       }

       $data = array( 'access_token' => $access_token, 'origin' => get_bloginfo('url'), 'admin_email' => get_bloginfo('admin_email') );
@@ -158,28 +159,28 @@
   }

   function wc_cashapp_refresh_square_token() {
-      $referer = wp_kses_post(urldecode( $_POST['_wp_http_referer'] ));
+      $referer = esc_html(urldecode( $_POST['_wp_http_referer'] ));
       $html = '<div class="wrap"><div style="padding: 10rem">';

       if ( !wp_verify_nonce( $_POST['refresh_square_token_nonce'], 'refresh_square_token' ) ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Invalid nonce</h1>' . var_export( $_POST, true ) );
+  <h1>Invalid nonce</h1>' . var_export( $_POST, true ) ));
       }
       if ( !$referer ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Missing target</h1>' . var_export( $_POST, true ) );
+  <h1>Missing target</h1>' . var_export( $_POST, true ) ));
       }

       $refresh_token = $this->SQ_Refresh_Token;
       if ( !$refresh_token ) {
-          wp_die( '<p style="margin-top: 50px;">
+          wp_die( wp_kses_post('<p style="margin-top: 50px;">
   <a style="padding: 1rem; border: none; background-color: black; color: white; text-decoration: none;"
   href="' . $referer . '">Go Back</a></p><br><br>
-  <h1>Missing refresh token</h1>' . var_export( $_POST, true ) );
+  <h1>Missing refresh token</h1>' . var_export( $_POST, true ) ));
       }

       $data = array( 'refresh_token' => $refresh_token, 'origin' => get_bloginfo('url'), 'admin_email' => get_bloginfo('admin_email') );
@@ -254,17 +255,19 @@
     }

     $html .= '</div></div>';
-    echo $html;
+    echo wp_kses_post($html);
     exit;
   }

 	function wc_cashapp_renew_square_token_cron() {
 		$refresh_token = $this->SQ_Refresh_Token;
     $error_message = '';
+    if ( 'yes' !== $this->enabled ) { return; }
+
     $url = $this->wc_cash_app_pay_square_url('refresh', true);

 		if ( empty($refresh_token) ) {
-			// $this->wc_cashapp_refresh_token_logs( 'Missing refresh token' . var_export( $_POST, true ) );
+			// $this->wc_cashapp_refresh_token_logs( 'Missing refresh token' . wp_kses_post(var_export( $_POST, true ) ));
       $error_message = 'Missing refresh token. Please renew it manually in your admin dashboard to keep processing Cash App Pay orders or disable Cash App Pay.';
 		} else if ( filter_var($url, FILTER_VALIDATE_URL) ) {

--- a/wc-cashapp/includes/class-wc_cashapp_update_order.php
+++ b/wc-cashapp/includes/class-wc_cashapp_update_order.php
@@ -1,6 +1,7 @@
 <?php if ( ! defined( "ABSPATH" ) ) { exit; }

 if ( !class_exists( "WC_Cashapp_Update_Order" ) && class_exists( "WC_Cashapp_Gateway" ) ):
+#[AllowDynamicProperties]
 class WC_Cashapp_Update_Order extends WC_Cashapp_Gateway {

   function register() {
--- a/wc-cashapp/includes/functions/square-connect.php
+++ b/wc-cashapp/includes/functions/square-connect.php
@@ -31,6 +31,6 @@
 // // $square = "http://localhost:8000/connect?name=$name&domain=$domain&fname=$fname&lname=$lname&email=$email&phone=$phone&extension=$extension&key=$key&thumbnailUrl=$thumbnailUrl";
 // $square = ' <a href="https://square.theafricanboss.com/access.php?sn=' . urlencode(get_bloginfo("name")) . '&su=' . urlencode(get_site_url()) . '&fn=' . urlencode($first_name) . '&ln=' . urlencode($last_name) . '&em=' . urlencode(get_bloginfo("admin_email")) . '&ph=' . urlencode($phone) . '&th=' . urlencode(get_site_icon_url()) . '&_wpnonce=' . urlencode(wp_create_nonce( 'wc_cash_app_pay_connect' )) . '&ref=' . WCCASHAPP_PLUGIN_SLUG . '" target="_blank">Get it here</a>';
 $uniq = uniqid();
-$square_connect_url = "https://square.theafricanboss.com/access.php?nonce=$uniq&_wpnonce=$_wpnonce&redirect=$redirect&sn=$sn&su=$su&fn=$fn&ln=$ln&em=$em&ph=$ph&th=$th&ref=$ref&v=2";
+$square_connect_url = esc_url("https://square.theafricanboss.com/access.php?nonce=$uniq&_wpnonce=$_wpnonce&redirect=$redirect&sn=$sn&su=$su&fn=$fn&ln=$ln&em=$em&ph=$ph&th=$th&ref=$ref&v=2");

 ?>
 No newline at end of file
--- a/wc-cashapp/includes/functions/square-url.php
+++ b/wc-cashapp/includes/functions/square-url.php
@@ -31,7 +31,7 @@

     // $square = ' <a href="https://square.theafricanboss.com/access.php?sn=' . urlencode(get_bloginfo("name")) . '&su=' . urlencode(get_site_url()) . '&fn=' . urlencode($first_name) . '&ln=' . urlencode($last_name) . '&em=' . urlencode(get_bloginfo("admin_email")) . '&ph=' . urlencode($phone) . '&th=' . urlencode(get_site_icon_url()) . '&_wpnonce=' . urlencode(wp_create_nonce( 'connect_store_to_emailreceipts' )) . '&ref=' . WCCASHAPP_PLUGIN_SLUG . '" target="_blank">Get it here</a>';
     $uniq = uniqid();
-    $square_url = "https://square.theafricanboss.com/$string.php?nonce=$uniq&_wpnonce=$_wpnonce&sn=$sn&su=$su&fn=$fn&ln=$ln&em=$em&ph=$ph&th=$th&ref=$ref&v=2";
+    $square_url = esc_url("https://square.theafricanboss.com/$string.php?nonce=$uniq&_wpnonce=$_wpnonce&sn=$sn&su=$su&fn=$fn&ln=$ln&em=$em&ph=$ph&th=$th&ref=$ref&v=2");
 }

 ?>
 No newline at end of file
--- a/wc-cashapp/includes/notifications/woocommerce.php
+++ b/wc-cashapp/includes/notifications/woocommerce.php
@@ -1,7 +1,7 @@
 <?php if ( ! defined( 'ABSPATH' ) ) { exit; }

 add_action( 'admin_notices', function () {
-	echo '<div class="error"><p><strong>Checkout with Cash App on Woocommerce requires WooCommerce to be installed and active.</strong> <a href="' . esc_html(admin_url('plugin-install.php?s=woocommerce&tab=search&type=term')) . '">Download and Activate WooCommerce here</a></p></div>';
+	echo '<div class="error"><p><strong>Checkout with Cash App on Woocommerce requires WooCommerce to be installed and active.</strong> <a href="' . esc_url(admin_url('plugin-install.php?s=woocommerce&tab=search&type=term')) . '">Download and Activate WooCommerce here</a></p></div>';
 } );

 ?>
 No newline at end of file
--- a/wc-cashapp/includes/pages/checkout.php
+++ b/wc-cashapp/includes/pages/checkout.php
@@ -35,8 +35,8 @@
 // $checkout_html .= ' ' . esc_html__( 'or Scan', WCCASHAPP_PLUGIN_TEXT_DOMAIN ) . ' > <a href="https://cash.app/', esc_attr( wp_kses_post( $this->ReceiverCashApp ) ), '/' , esc_attr( wp_kses_post( $amount  ) ), '" target="_blank"><img width="150" height="150" class="logo-qr" alt="Cash App Link" src="https://emailreceipts.io/qr?d=100&t=https://cash.app/', esc_attr( wp_kses_post( $this->ReceiverCashApp ) ), '/' , esc_attr( wp_kses_post( $amount  ) ), '"></a></p>';
 $checkout_html .= $qr_code;
 $checkout_html .= '<p>' . wp_kses_post( __( '<strong>After paying, please come back here and place the order</strong> below so we can start processing your order', WCCASHAPP_PLUGIN_TEXT_DOMAIN ) ) . '.</p>';
-$call = esc_html__( 'call', WCCASHAPP_PLUGIN_TEXT_DOMAIN ) . ' <a href="tel:' . esc_html( wp_kses_post( $this->ReceiverCASHAPPNo ) ) . '" target="_blank">' . esc_html( wp_kses_post( $this->ReceiverCASHAPPNo ) ) . '</a>.';
-$email = ' ' . esc_html__( 'You can also email', WCCASHAPP_PLUGIN_TEXT_DOMAIN ) . ' <a href="mailto:' . esc_html( wp_kses_post( $this->ReceiverCASHAPPEmail ) ) . '" target="_blank">' . esc_html( wp_kses_post( $this->ReceiverCASHAPPEmail ) ) . '</a>';
+$call = esc_html__( 'call', WCCASHAPP_PLUGIN_TEXT_DOMAIN ) . ' <a href="tel:' . esc_attr( $this->ReceiverCASHAPPNo ) . '" target="_blank">' . esc_html( $this->ReceiverCASHAPPNo ) . '</a>.';
+$email = ' ' . esc_html__( 'You can also email', WCCASHAPP_PLUGIN_TEXT_DOMAIN ) . ' <a href="mailto:' . esc_attr( $this->ReceiverCASHAPPEmail ) . '" target="_blank">' . esc_html( $this->ReceiverCASHAPPEmail ) . '</a>';
 $checkout_html .= '<p>' . esc_html__( 'If you are having an issue', WCCASHAPP_PLUGIN_TEXT_DOMAIN ) . ', ' . wp_kses_post( ( $call ? $call : '' ) ) . wp_kses_post( ( $email ? $email : '' ) ) . '</p>';
 // toggleTutorial
 if ( 'yes' === $this->toggleTutorial ) {
@@ -48,5 +48,5 @@
 // }
 do_action( 'woocommerce_form_end', $this->id );
 $checkout_html .= '<div class="clear"></div></fieldset>';
-echo $checkout_html;
-//return $checkout_html;
 No newline at end of file
+echo wp_kses_post( $checkout_html );
+//return wp_kses_post($checkout_html);
 No newline at end of file

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK used by multiple WordPress plugins, including wc-cashapp. It allows unauthenticated attackers to inject arbitrary JavaScript into pages by exploiting insufficient input sanitization of the ‘url’ parameter.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the ‘url’ parameter is directly used in JavaScript without proper sanitization. An attacker can craft a malicious link containing a JavaScript payload, which executes when a logged-in administrator clicks the link, potentially compromising the site.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Freemius SDK version 2.10.1 or earlier, particularly those with the wc-cashapp plugin version 6.0.2 or earlier, is affected. Site administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the wc-cashapp plugin installed on your WordPress site. If it is version 6.0.2 or earlier, you are at risk and should take immediate action to update.
How can I fix this vulnerability?
Recommended actions
The vulnerability can be fixed by updating the wc-cashapp plugin to version 6.0.3.1 or later, which includes a patch for this issue. Additionally, ensure that the Freemius SDK is updated to version 2.10.2 or later.
What does the CVSS score of 6.1 mean?
Understanding risk levels
A CVSS score of 6.1 indicates a medium severity risk. This means that while the vulnerability is not critical, it poses a significant threat, especially if exploited by an attacker with access to a logged-in administrator’s session.
What is reflected DOM-based XSS?
Technical definition
Reflected DOM-based XSS is a type of cross-site scripting where the injected script is reflected off a web server, typically through a URL parameter. The script executes in the user’s browser as soon as they visit the crafted URL, without being stored on the server.
Can this vulnerability be exploited without authentication?
Access requirements for exploitation
The vulnerability can be exploited without authentication, but the attack requires the victim to be a logged-in administrator. The attacker must trick the administrator into clicking a malicious link for the exploit to succeed.
What is a proof of concept for this vulnerability?
Example of exploitation
A proof of concept for this vulnerability could involve crafting a URL such as ‘https://target.com/wp-admin/admin.php?page=freemius-connect&url=javascript:alert(1)’. When an administrator clicks this link, the JavaScript payload executes, demonstrating the vulnerability.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If successfully exploited, an attacker could execute arbitrary JavaScript in the context of the WordPress admin dashboard. This could allow them to steal session cookies, perform unauthorized actions, or redirect users to malicious sites.
What should I do if I cannot update my plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the affected plugin until a patch can be applied. Additionally, monitor your site for any suspicious activity and educate users about the risks of clicking unknown links.
Where can I find more information about this vulnerability?
Resources for further reading
Further information about CVE-2024-13362 can be found on the National Vulnerability Database (NVD) or security advisories from the plugin developers. Staying informed through security blogs and forums can also provide updates and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations