[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWlboNGU7ONrp7lJBCa47O8Fd7kC7fNFGsWnCMuEGRek":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2024-13362","freemius-reflected-dom-based-cross-site-scripting-via-url-parameter","Freemius \u003C= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter","Multiple plugins and\u002For themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","restaurant-cafe-addon-for-elementor",null,"\u003C=1.5.8","1.6.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-30 17:17:30","2026-05-01 05:30:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd694491c-c0f5-4418-805a-db792ea4f712?source=api-prod",1,[22,23,24,25,26,27,28,29],"freemius\u002Fassets\u002Fcss\u002Fadmin\u002Fcommon.css","freemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js","freemius\u002Fincludes\u002Fclass-freemius.php","freemius\u002Fincludes\u002Fclass-fs-plugin-updater.php","freemius\u002Fincludes\u002Fentities\u002Fclass-fs-plugin-plan.php","freemius\u002Fincludes\u002Fentities\u002Fclass-fs-site.php","freemius\u002Fincludes\u002Fentities\u002Fclass-fs-user.php","freemius\u002Fincludes\u002Fmanagers\u002Fclass-fs-admin-menu-manager.php","researched",false,3,"## Vulnerability Summary\nThe **Freemius SDK** (versions \u003C= 2.10.1), bundled with the **Restaurant & Cafe Addon for Elementor** plugin, is vulnerable to **Reflected DOM-Based Cross-Site Scripting (XSS)**. The vulnerability exists because the Freemius JavaScript logic (specifically in the pricing and contact modules) extracts the `url` parameter from the browser's location and sinks it into a dangerous DOM property (like `window.location.href`, `iframe.src`, or `anchor.href`) without proper validation or sanitization.\n\nThis allows an unauthenticated attacker to construct a malicious URL that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the WordPress admin dashboard.\n\n## Attack Vector Analysis\n- **Vulnerable Page:** Any admin page registered by Freemius, typically the Pricing, Contact, or Support pages.\n- **Admin Page Slugs (Inferred):**\n    - `restaurant-cafe-addon-for-elementor-pricing`\n    - `restaurant-cafe-addon-for-elementor-contact`\n    - `restaurant-cafe-addon-for-elementor-account`\n- **Vulnerable Parameter:** `url`\n- **Authentication:** Unauthenticated (to craft the link), but requires a logged-in Administrator to visit the link (Reflected).\n- **Preconditions:** The \"Restaurant & Cafe Addon for Elementor\" plugin must be installed and activated, and the Freemius SDK must be initialized (usually requires visiting the plugin's settings once).\n\n## Code Flow\n1. **Entry Point:** The Administrator navigates to `wp-admin\u002Fadmin.php?page=restaurant-cafe-addon-for-elementor-pricing&url=javascript:alert(document.domain)`.\n2. **Script Execution:** WordPress loads the Freemius admin page, which enqueues `freemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js` (as seen in the source).\n3. **Parameter Extraction:** The Freemius JavaScript uses a utility function (often a wrapper around `URLSearchParams` or a custom regex parser) to read the `url` parameter from `window.location.search`.\n4. **The Sink:** The script uses this `url` value to:\n    - Set the `src` of a \"checkout\" or \"pricing\" `\u003Ciframe>`.\n    - Set the `href` of a \"Try Again\" or \"Back\" link.\n    - Set `window.location.href` during a redirect logic.\n5. **Execution:** If the payload is `javascript:alert(1)`, the browser executes the code when the iframe loads or the link is clicked.\n\n## Nonce Acquisition Strategy\nThis is a **Reflected DOM XSS**, which typically does not require a WordPress nonce because the vulnerability is in the client-side processing of URL parameters. The server simply renders the page and enqueues the script; the malicious logic happens entirely in the browser using data already present in the URL.\n\nIf the page itself were restricted by a nonce (highly unusual for a top-level `admin.php` page), the agent would need to:\n1. Navigate to the main plugin settings page.\n2. Extract any necessary nonces from the localized JS object (e.g., `window.fs_common_data?.nonce`).\n3. However, for this specific CVE, the `url` parameter is processed directly from the URL by the SDK's JavaScript.\n\n## Exploitation Strategy\n1. **Target Identification:** Determine the exact admin page slug for the Freemius Pricing or Contact page.\n2. **Payload Construction:** Use a simple JavaScript URI payload: `javascript:alert(document.domain)`.\n3. **HTTP Request:** Use `http_request` to simulate an admin clicking the link. Since this is DOM-based, we must use `browser_navigate` to allow the JavaScript to execute and the sink to be reached.\n4. **Verification:** Check if the browser triggers an alert or if the payload is reflected in a dangerous attribute in the DOM.\n\n### Step-by-Step Plan:\n1. **Login as Admin:** Authenticate to the WordPress instance.\n2. **Discover Slug:** Use `wp eval` to find the registered Freemius slugs.\n3. **Navigate:** Use `browser_navigate` to visit:\n   `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[SLUG]-pricing&url=javascript:alert(window.origin)`\n4. **Interact:** If the XSS is tied to an iframe or link, the agent may need to wait for the page to load or use `browser_click` on a \"Contact\" or \"Upgrade\" button.\n5. **Observe:** Check for the execution of the alert or the presence of the payload in the `src` of an iframe.\n\n## Test Data Setup\n1. **Install Plugin:** `wp plugin install restaurant-cafe-addon-for-elementor --version=1.5.8 --activate`.\n2. **Initialize Freemius:** Navigate to the plugin settings page once to ensure Freemius is initialized and options are saved.\n3. **Role:** Perform the exploit as an Administrator.\n\n## Expected Results\nA successful exploit will result in the `url` parameter being placed into a DOM element that executes JavaScript.\n- **Iframe Sink:** `\u003Ciframe src=\"javascript:alert(document.domain)\">`\n- **Link Sink:** `\u003Ca href=\"javascript:alert(document.domain)\">`\n- **Location Sink:** `window.location.href = \"javascript:alert(document.domain)\"`\n\n## Verification Steps\n1. **Browser Console:** Use `browser_eval` to check if a specific \"canary\" variable or alert was triggered.\n2. **DOM Inspection:** Use `browser_eval` to inspect the Freemius iframe or links:\n   ```javascript\n   document.querySelector('iframe[src*=\"javascript:\"]').src\n   ```\n\n## Alternative Approaches\nIf the `pricing` page is not active (e.g., requires a specific configuration), try the `contact` page:\n`wp-admin\u002Fadmin.php?page=restaurant-cafe-addon-for-elementor-contact&url=javascript:alert(1)`\n\nIf `javascript:` URIs are blocked by a basic check, attempt attribute breakout:\n`url=\">\u003Cimg src=x onerror=alert(1)>`\n\nCheck for the payload in localized data:\n```javascript\nbrowser_eval(\"window.fs_pricing_config\")\n```\nIf the `url` is reflected in `fs_pricing_config.url`, the XSS may occur when that object is used to build the UI.","The Freemius SDK (versions \u003C= 2.10.1) bundled with the Restaurant & Cafe Addon for Elementor plugin is vulnerable to Reflected DOM-Based Cross-Site Scripting. The vulnerability occurs when the SDK's JavaScript extracts a user-supplied URL from the 'url' parameter and sinks it into a dangerous property like 'window.location.href' or an iframe 'src' without validation.","\u002F\u002F freemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js\n\u002F\u002F The minified JavaScript logic extracts URL parameters and utilizes the 'url' parameter to define sources or redirect targets.\n\u002F\u002F Specifically, logic similar to the following (conceptualized from the minified source):\n\u002F\u002F let redirectUrl = new URLSearchParams(window.location.search).get('url');\n\u002F\u002F if (redirectUrl) { window.location.href = redirectUrl; }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frestaurant-cafe-addon-for-elementor\u002F1.6.0\u002Ffreemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frestaurant-cafe-addon-for-elementor\u002F1.6.1\u002Ffreemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frestaurant-cafe-addon-for-elementor\u002F1.6.0\u002Ffreemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js\t2024-11-26 10:03:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frestaurant-cafe-addon-for-elementor\u002F1.6.1\u002Ffreemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js\t2025-01-28 11:21:36.000000000 +0000\n@@ -1,2 +1,2 @@\n \u002F*! For license information please see freemius-pricing.js.LICENSE.txt *\u002F\n-!function(e,t)... (truncated)","To exploit this vulnerability, an attacker must craft a malicious URL targeting a WordPress administrator. The attacker identifies the Freemius-managed admin pages (e.g., pricing, contact, or account pages) registered by the plugin. A payload using the 'javascript:' pseudo-protocol is appended to the 'url' parameter of the admin page link. When the logged-in administrator clicks the link, the SDK's client-side JavaScript processes the 'url' parameter and assigns it to a sensitive DOM sink (like an iframe source or window location), triggering the execution of the arbitrary JavaScript in the context of the admin's browser session. No nonce is required for this DOM-based attack.","gemini-3-flash-preview","2026-05-04 17:41:09","2026-05-04 17:41:46",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-cafe-addon-for-elementor\u002Ftags\u002F1.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frestaurant-cafe-addon-for-elementor.1.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-cafe-addon-for-elementor\u002Ftags\u002F1.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frestaurant-cafe-addon-for-elementor.1.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frestaurant-cafe-addon-for-elementor\u002Ftags"]