WP-Safety
CVE-2024-13362

Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
1.6.1
Patched in
1d
Time to patch

Description

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.8
PublishedApril 30, 2026
Last updatedMay 1, 2026
Affected pluginrestaurant-cafe-addon-for-elementor

What Changed in the Fix

Changes introduced in v1.6.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.6.0
Browse source Download .zip
Patched v1.6.1
Browse source Download .zip
Research Plan
Unverified

## Vulnerability Summary The **Freemius SDK** (versions <= 2.10.1), bundled with the **Restaurant & Cafe Addon for Elementor** plugin, is vulnerable to **Reflected DOM-Based Cross-Site Scripting (XSS)**. The vulnerability exists because the Freemius JavaScript logic (specifically in the pricing and …

Show full research plan

Vulnerability Summary

The Freemius SDK (versions <= 2.10.1), bundled with the Restaurant & Cafe Addon for Elementor plugin, is vulnerable to Reflected DOM-Based Cross-Site Scripting (XSS). The vulnerability exists because the Freemius JavaScript logic (specifically in the pricing and contact modules) extracts the url parameter from the browser's location and sinks it into a dangerous DOM property (like window.location.href, iframe.src, or anchor.href) without proper validation or sanitization.

This allows an unauthenticated attacker to construct a malicious URL that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the WordPress admin dashboard.

Attack Vector Analysis

  • Vulnerable Page: Any admin page registered by Freemius, typically the Pricing, Contact, or Support pages.
  • Admin Page Slugs (Inferred):
    • restaurant-cafe-addon-for-elementor-pricing
    • restaurant-cafe-addon-for-elementor-contact
    • restaurant-cafe-addon-for-elementor-account
  • Vulnerable Parameter: url
  • Authentication: Unauthenticated (to craft the link), but requires a logged-in Administrator to visit the link (Reflected).
  • Preconditions: The "Restaurant & Cafe Addon for Elementor" plugin must be installed and activated, and the Freemius SDK must be initialized (usually requires visiting the plugin's settings once).

Code Flow

  1. Entry Point: The Administrator navigates to wp-admin/admin.php?page=restaurant-cafe-addon-for-elementor-pricing&url=javascript:alert(document.domain).
  2. Script Execution: WordPress loads the Freemius admin page, which enqueues freemius/assets/js/pricing/freemius-pricing.js (as seen in the source).
  3. Parameter Extraction: The Freemius JavaScript uses a utility function (often a wrapper around URLSearchParams or a custom regex parser) to read the url parameter from window.location.search.
  4. The Sink: The script uses this url value to:
    • Set the src of a "checkout" or "pricing" <iframe>.
    • Set the href of a "Try Again" or "Back" link.
    • Set window.location.href during a redirect logic.
  5. Execution: If the payload is javascript:alert(1), the browser executes the code when the iframe loads or the link is clicked.

Nonce Acquisition Strategy

This is a Reflected DOM XSS, which typically does not require a WordPress nonce because the vulnerability is in the client-side processing of URL parameters. The server simply renders the page and enqueues the script; the malicious logic happens entirely in the browser using data already present in the URL.

If the page itself were restricted by a nonce (highly unusual for a top-level admin.php page), the agent would need to:

  1. Navigate to the main plugin settings page.
  2. Extract any necessary nonces from the localized JS object (e.g., window.fs_common_data?.nonce).
  3. However, for this specific CVE, the url parameter is processed directly from the URL by the SDK's JavaScript.

Exploitation Strategy

  1. Target Identification: Determine the exact admin page slug for the Freemius Pricing or Contact page.
  2. Payload Construction: Use a simple JavaScript URI payload: javascript:alert(document.domain).
  3. HTTP Request: Use http_request to simulate an admin clicking the link. Since this is DOM-based, we must use browser_navigate to allow the JavaScript to execute and the sink to be reached.
  4. Verification: Check if the browser triggers an alert or if the payload is reflected in a dangerous attribute in the DOM.

Step-by-Step Plan:

  1. Login as Admin: Authenticate to the WordPress instance.
  2. Discover Slug: Use wp eval to find the registered Freemius slugs.
  3. Navigate: Use browser_navigate to visit:
    http://localhost:8080/wp-admin/admin.php?page=[SLUG]-pricing&url=javascript:alert(window.origin)
  4. Interact: If the XSS is tied to an iframe or link, the agent may need to wait for the page to load or use browser_click on a "Contact" or "Upgrade" button.
  5. Observe: Check for the execution of the alert or the presence of the payload in the src of an iframe.

Test Data Setup

  1. Install Plugin: wp plugin install restaurant-cafe-addon-for-elementor --version=1.5.8 --activate.
  2. Initialize Freemius: Navigate to the plugin settings page once to ensure Freemius is initialized and options are saved.
  3. Role: Perform the exploit as an Administrator.

Expected Results

A successful exploit will result in the url parameter being placed into a DOM element that executes JavaScript.

  • Iframe Sink: <iframe src="javascript:alert(document.domain)">
  • Link Sink: <a href="javascript:alert(document.domain)">
  • Location Sink: window.location.href = "javascript:alert(document.domain)"

Verification Steps

  1. Browser Console: Use browser_eval to check if a specific "canary" variable or alert was triggered.
  2. DOM Inspection: Use browser_eval to inspect the Freemius iframe or links:
    document.querySelector('iframe[src*="javascript:"]').src

Alternative Approaches

If the pricing page is not active (e.g., requires a specific configuration), try the contact page:
wp-admin/admin.php?page=restaurant-cafe-addon-for-elementor-contact&url=javascript:alert(1)

If javascript: URIs are blocked by a basic check, attempt attribute breakout:
url="><img src=x onerror=alert(1)>

Check for the payload in localized data:

browser_eval("window.fs_pricing_config")

If the url is reflected in fs_pricing_config.url, the XSS may occur when that object is used to build the UI.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Freemius SDK (versions <= 2.10.1) bundled with the Restaurant & Cafe Addon for Elementor plugin is vulnerable to Reflected DOM-Based Cross-Site Scripting. The vulnerability occurs when the SDK's JavaScript extracts a user-supplied URL from the 'url' parameter and sinks it into a dangerous property like 'window.location.href' or an iframe 'src' without validation.

Vulnerable Code

// freemius/assets/js/pricing/freemius-pricing.js
// The minified JavaScript logic extracts URL parameters and utilizes the 'url' parameter to define sources or redirect targets.
// Specifically, logic similar to the following (conceptualized from the minified source):
// let redirectUrl = new URLSearchParams(window.location.search).get('url');
// if (redirectUrl) { window.location.href = redirectUrl; }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/restaurant-cafe-addon-for-elementor/1.6.0/freemius/assets/js/pricing/freemius-pricing.js /home/deploy/wp-safety.org/data/plugin-versions/restaurant-cafe-addon-for-elementor/1.6.1/freemius/assets/js/pricing/freemius-pricing.js
--- /home/deploy/wp-safety.org/data/plugin-versions/restaurant-cafe-addon-for-elementor/1.6.0/freemius/assets/js/pricing/freemius-pricing.js	2024-11-26 10:03:14.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/restaurant-cafe-addon-for-elementor/1.6.1/freemius/assets/js/pricing/freemius-pricing.js	2025-01-28 11:21:36.000000000 +0000
@@ -1,2 +1,2 @@
 /*! For license information please see freemius-pricing.js.LICENSE.txt */
-!function(e,t)... (truncated)

Exploit Outline

To exploit this vulnerability, an attacker must craft a malicious URL targeting a WordPress administrator. The attacker identifies the Freemius-managed admin pages (e.g., pricing, contact, or account pages) registered by the plugin. A payload using the 'javascript:' pseudo-protocol is appended to the 'url' parameter of the admin page link. When the logged-in administrator clicks the link, the SDK's client-side JavaScript processes the 'url' parameter and assigns it to a sensitive DOM sink (like an iframe source or window location), triggering the execution of the arbitrary JavaScript in the context of the admin's browser session. No nonce is required for this DOM-based attack.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f5-4418-805a-db792ea4f712?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database