Atomic Edge analysis of CVE-2024-13362 (metadata-based):
This is a Reflected DOM-Based Cross-Site Scripting vulnerability affecting the Freemius SDK library, version 2.10.1 and earlier. The vulnerability exists in the url parameter used by various WordPress plugins and themes, including webba-booking-lite. Attackers can inject arbitrary JavaScript without authentication (CVSS 6.1, medium severity), requiring user interaction via a crafted link.
The root cause is improper input sanitization and output escaping of the url parameter within the Freemius SDK’s JavaScript. The CWE-79 classification confirms this is a cross-site scripting issue where user-controllable input flows into DOM sinks without proper handling. Since no source code is available, Atomic Edge research infers the vulnerability likely occurs where the SDK processes a url parameter to initiate a redirect, popup, or overlay. The SDK probably reads the value from the URL query string and directly assigns it to DOM properties like location.href, window.location, or innerHTML without sanitization.
Exploitation requires tricking a victim into clicking a crafted link. The attacker constructs a URL to a vulnerable site that includes a malicious url parameter with JavaScript payload. The payload executes in the victim’s browser context when the Freemius SDK processes the parameter. For example: https://victim-site.com/?url=javascript:alert(document.cookie). The attack works against unauthenticated users, making it straightforward to execute via phishing emails or social engineering.
The patch likely adds proper URL validation before the parameter is used in DOM operations. The fix should include parsing the url parameter with a whitelist of allowed schemes (http, https), validate the URL format with PHP’s built-in filter_var with FILTER_VALIDATE_URL before passing it to JavaScript, and use JavaScript’s URL constructor or DOMPurify on the client side. Output escaping via esc_url or wp_kses in PHP is essential.
Successful exploitation enables arbitrary JavaScript execution in the victim’s browser. Attackers can steal session cookies, exfiltrate sensitive page content, perform actions on behalf of the victim, or redirect to malicious sites. While the CVSS impact is limited to low confidentiality and integrity loss (no privilege escalation), the real-world risk includes credential theft and account takeover.
