We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Multiple plugins and/or themes for WordPress Vulnerability (CVE-2024-13362)

Nick Paliughi
On this page

Security Alert Summary

Multiple WordPress plugins and themes are vulnerable to reflected Cross-Site Scripting (XSS) via a url parameter. Insufficient input sanitization and output escaping allow an unauthenticated attacker to inject script that will execute if a user is tricked into clicking a crafted link.

CVE Details

  • CVE ID: CVE-2024-13362
  • Affected component: Multiple plugins and/or themes for WordPress
  • Affected versions: various versions
  • Published: May 01, 2026 6:16:30 AM
  • Last modified: May 01, 2026 3:26:24 PM
  • CVSS v3.1 base score: 6.1
  • CVSS v3.1 severity: MEDIUM
  • CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: No authentication required; privileges required: NONE; user interaction: REQUIRED
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation – XSS)

Technical Details

The vulnerability is a reflected Cross-Site Scripting (XSS) issue stemming from insufficient input sanitization and output escaping of a url parameter. Because the parameter is reflected in page output without proper encoding, an attacker can craft a link containing arbitrary script content. If a victim user clicks that link, the injected script can execute in the context of the victim’s browser.

The advisory and references show the issue affects many plugin/theme code paths and point to multiple instances of freemius-pricing.js asset paths across different plugins. The report does not name specific functions or REST endpoints; the observable element named in the report is the url parameter.

Impact is limited according to the CVSS metrics: confidentiality and integrity impacts are rated LOW and availability is not affected. Exploitation requires social engineering to get a user to click a crafted link, and no authentication is required for an attacker to host such a link.

How This Could Impact Your Website

Consider a typical site with an owner, an editor-level staff member, and an outside contributor. An unauthenticated attacker could send a crafted link (for example, via email or chat) that includes the vulnerable url parameter. If an editor or contributor clicks the link while authenticated to the site, the injected script could run in their browser and access information visible in that page context (consistent with the CVSS LOW confidentiality impact). That could expose some user-visible data such as email addresses or profile details, and increase the risk of targeted phishing or social engineering against staff.

The issue does not necessarily imply site takeover or broad availability impact, but it can enable data exposure and session-based misuse when users interact with malicious links. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugins or themes as soon as patched versions are available.
  • Review and reduce unnecessary user roles, especially contributor and editor accounts.
  • Enforce strong passwords and two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins and themes from your site.
  • Monitor site activity and logs for unusual behavior or unexpected administrative actions.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Total Upkeep – WordPress Backup Plugin plus Restore & Restore & Migrate by BoldGrid Vulnerability (CVE-2026-3143)