The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-13362

CVE-2024-13362: WordPress Plugins Reflected XSS Vulnerability

CVE-2024-13362 is a reflected XSS vulnerability affecting multiple WordPress plugins and themes via the url parameter. Unauthenticated attackers can inject malicious scripts. This article covers technical details, affected versions, impact, and mitigation.

Published: May 7, 2026

CVE-2024-13362 Overview

CVE-2024-13362 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting multiple WordPress plugins and themes that bundle the Freemius pricing script. The flaw resides in the handling of the url parameter, where insufficient input sanitization and output escaping allow attacker-supplied JavaScript to be reflected into rendered pages. Unauthenticated attackers can craft malicious links that execute arbitrary scripts in the victim's browser session when clicked. The vulnerability is tracked under [CWE-79] and carries a CVSS 3.1 base score of 6.1. The issue was reported by Wordfence and remediated through WordPress plugin changesets including #3229060, #3235286, and #3249130.

Critical Impact

Successful exploitation enables session hijacking, credential theft, and administrative action abuse on affected WordPress sites when an authenticated user is lured into clicking a crafted link.

Affected Products

  • Multiple WordPress plugins bundling the Freemius SDK pricing script, including add-search-to-menu, featured-images-for-rss-feeds, foobox-image-lightbox, foogallery, and independent-analytics
  • Additional affected plugins: interactive-geo-maps, internal-links, master-addons, menu-image, ocean-extra, pdf-poster, shortcodes-ultimate, simply-gallery-block, spotlight-social-photo-feeds, tablepress
  • Further affected plugins: unlimited-elements-for-elementor, widgets-on-pages, woo-permalink-manager, wp-meta-and-date-remover, and wpide

Discovery Timeline

  • 2026-05-01 - CVE-2024-13362 published to NVD
  • 2026-05-01 - Last updated in NVD database

Technical Details for CVE-2024-13362

Vulnerability Analysis

The vulnerability exists within the freemius-pricing.js client-side pricing script that ships embedded across numerous WordPress plugins. When a user navigates to a plugin's pricing or upgrade page, the script reads the url query parameter and writes it back into the rendered DOM without applying adequate sanitization or output encoding. An attacker can supply a payload containing JavaScript or HTML event handlers in this parameter to achieve script execution under the origin of the WordPress site.

Reflected XSS in WordPress administrative contexts is high-impact because plugin pricing pages are commonly accessed by site administrators. Script execution in an authenticated administrator's browser can lead to plugin installation, account creation, or persistence through theme or plugin file modification. The CWE-79 classification reflects standard improper neutralization of input during web page generation.

Root Cause

The root cause is missing input sanitization and output escaping on the url parameter handled by the Freemius pricing script. The shared SDK code was reused verbatim across more than twenty plugins, propagating the same defect across the WordPress plugin ecosystem. Fixes were applied in upstream Freemius SDK updates and pulled into individual plugins through changesets #3229060, #3235286, and #3249130.

Attack Vector

Exploitation requires user interaction. The attacker crafts a URL pointing to a vulnerable plugin's pricing endpoint with a malicious payload encoded into the url parameter, then delivers it through phishing, social engineering, or a malicious referrer. When a logged-in WordPress administrator follows the link, the payload executes in the context of the WordPress origin. No authentication is required of the attacker, and the scope is changed because script execution affects content beyond the originating component.

No verified public exploit code is available. Refer to the Wordfence Threat Intel Report for technical context on the reflected vector.

Detection Methods for CVE-2024-13362

Indicators of Compromise

  • HTTP requests to plugin pricing endpoints containing url= parameters with <script>, javascript:, onerror=, or other event-handler payloads
  • Outbound requests from WordPress administrator browsers to attacker-controlled domains immediately after visiting a plugin pricing page
  • Unexpected creation of WordPress administrator accounts, plugin installations, or modifications to wp-config.php and theme files following an admin session
  • Web server access logs showing referrers from external sites linking directly into freemius-pricing.js consuming pages

Detection Strategies

  • Inspect web application firewall (WAF) and reverse proxy logs for requests to /wp-admin/admin.php pages associated with affected plugins carrying suspicious url parameter values
  • Deploy content security policy (CSP) reporting to surface inline script execution attempts on WordPress admin pages
  • Hunt for the string freemius-pricing.js combined with non-URL characters in the url query parameter across HTTP telemetry

Monitoring Recommendations

  • Enable verbose access logging on /wp-admin/ paths and forward to a centralized log analytics platform for query-based hunting
  • Monitor WordPress audit logs for administrative actions occurring within seconds of a pricing page visit, which can indicate XSS-driven CSRF chaining
  • Track installed plugin versions across managed WordPress fleets and alert on versions predating the relevant Freemius SDK fix

How to Mitigate CVE-2024-13362

Immediate Actions Required

  • Update every affected plugin to the latest version that incorporates the patched Freemius SDK, referencing changesets #3229060, #3235286, and #3249130
  • Audit installed WordPress plugins against the affected list and remove any plugins that are no longer needed or maintained
  • Force re-authentication of all WordPress administrator accounts and rotate session cookies after patching

Patch Information

Fixes were committed to the WordPress plugin repository through Changeset #3229060, Changeset #3235286, and Changeset #3249130. Plugin maintainers updated the bundled Freemius SDK pricing script to properly sanitize and escape the url parameter. Site operators should apply plugin updates from the WordPress plugin directory rather than patching freemius-pricing.js manually.

Workarounds

  • Restrict access to /wp-admin/ to known administrator IP addresses through web server or WAF allowlists until patches are applied
  • Configure a strict Content Security Policy that disallows inline script execution and untrusted script sources on WordPress admin pages
  • Disable or uninstall affected plugins that cannot be promptly updated
  • Train administrators to avoid clicking links to plugin pricing or upgrade pages from untrusted sources
bash
# Example: enforce CSP header for /wp-admin via Nginx
location ^~ /wp-admin/ {
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechWordpress
  • SeverityMEDIUM
  • CVSS Score6.1
  • EPSS Probability0.12%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-79
  • Technical References
  • WordPress Plugin Pricing Script
  • Featured Images RSS Pricing Script
  • FooBox Lightbox Pricing Script
  • FooGallery Pricing Script
  • Independent Analytics Pricing Script
  • Interactive Geo Maps Pricing Script
  • Internal Links Pricing Script
  • Master Addons Pricing Script
  • Menu Image Pricing Script
  • Ocean Extra Pricing Script
  • PDF Poster Pricing Script
  • Shortcodes Ultimate Pricing Script
  • Simply Gallery Block Pricing Script
  • Spotlight Social Feeds Pricing Script
  • TablePress Pricing Script
  • Unlimited Elements Elementor Pricing Script
  • Widgets on Pages Pricing Script
  • Woo Permalink Manager Pricing Script
  • WP Meta Remover Pricing Script
  • WPIde Pricing Script
  • WordPress Changeset #3229060
  • WordPress Changeset #3235286
  • WordPress Changeset #3249130
  • Wordfence Threat Intel Report
  • Related CVEs
  • CVE-2026-7448: LatePoint WordPress Plugin XSS Vulnerability
  • CVE-2026-7332: LatePoint WordPress Plugin XSS Vulnerability
  • CVE-2026-7457: WordPress LatePoint Plugin XSS Vulnerability
  • CVE-2026-6672: SliceWP Affiliates Plugin XSS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English