WordPress Plugin Vulnerabilities

Freemius < 2.11.0 - Reflected DOM-Based XSS via url Parameter

Description

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
add-expires-headers
Fixed in 2.10.0
Plugin icon
add-fields-to-checkout-page-woocommerce
No known fix
Plugin icon
add-search-to-menu
Fixed in 5.5.9
Plugin icon
advance-wc-analytics
Fixed in 3.16.0
Plugin icon
advanced-classifieds-and-directory-pro
Fixed in 3.2.5
Plugin icon
advanced-scrollbar
Fixed in 1.1.10
Plugin icon
aibuddy-openai-chatgpt
Fixed in 1.8.5
Plugin icon
alt-manager
Fixed in 1.6.6
Plugin icon
auto-install-free-ssl
Fixed in 4.5.1
Plugin icon
automatic-internal-links-for-seo
Fixed in 2.0.1
Plugin icon
automatic-youtube-gallery
Fixed in 2.5.6
Plugin icon
b-blocks
Fixed in 2.0.19
Plugin icon
basepress
Fixed in 2.16.3.6
Plugin icon
bbp-core
Fixed in 1.2.9
Plugin icon
blockspare
Fixed in 3.2.8
Plugin icon
blog-designer-pack
Fixed in 3.4.11
Plugin icon
bp-better-messages
Fixed in 2.7.0
Plugin icon
bulk-image-alt-text-with-yoast
Fixed in 2.2.0
Plugin icon
bulletin-announcements
Fixed in 3.13.1
Plugin icon
cf7-message-filter
Fixed in 1.6.3.3
Plugin icon
cf7-styler
Fixed in 1.7.1
Plugin icon
code-manager
Fixed in 1.0.41
Plugin icon
contact-form-7-multi-step-module
Fixed in 4.4.2
Plugin icon
custom-page-templates-by-vegacorp
Fixed in 1.1.17
Plugin icon
custom-php-settings
Fixed in 2.3.2
Plugin icon
delete-old-posts-programmatically
Fixed in 3.9.7
Plugin icon
display-a-meta-field-as-block
Fixed in 1.3.4
Plugin icon
dracula-dark-mode
Fixed in 1.2.8
Plugin icon
dynamic-copyright-year
Fixed in 1.1
Plugin icon
easy-age-verify
Fixed in 1.9
Plugin icon
easy-facebook-likebox
Fixed in 6.6.6
Plugin icon
easy-marijuana-age-verify
Fixed in 1.6
Plugin icon
eazydocs
Fixed in 2.5.9
Plugin icon
elespare
Fixed in 3.3.4
Plugin icon
embedder-for-google-reviews
Fixed in 1.7.5
Plugin icon
events-addon-for-elementor
Fixed in 2.2.5
Plugin icon
featured-images-for-rss-feeds
Fixed in 1.6.4
Plugin icon
five-star-ratings-shortcode
Fixed in 1.2.57
Plugin icon
foobar-notifications-lite
Fixed in 2.1.35
Plugin icon
foobox-image-lightbox
Fixed in 2.7.34
Plugin icon
foogallery
Fixed in 2.4.29
Plugin icon
fullscreen-background
Fixed in 2.0.3
Plugin icon
fullworks-anti-spam
Fixed in 2.3.12
Plugin icon
ga-for-wp
Fixed in 2.10.0
Plugin icon
geo-mashup
Fixed in 1.13.16
Plugin icon
glossary-by-codeat
Fixed in 2.2.39
Plugin icon
go-fetch-jobs-wp-job-manager
Fixed in 1.8.4.9.1
Plugin icon
goal-tracker-ga
Fixed in 1.1.6
Plugin icon
gpt3-ai-content-generator
Fixed in 2.3.17
Plugin icon
gs-team-members
Fixed in 2.6.1
Plugin icon
gs-testimonial
Fixed in 3.2.9
Plugin icon
html5-audio-player
Fixed in 2.5.1
Plugin icon
inavii-social-feed-for-elementor
Fixed in 2.7.7
Plugin icon
independent-analytics
Fixed in 2.10.0
Plugin icon
integrate-google-drive
Fixed in 1.5.0
Plugin icon
interactive-geo-maps
Fixed in 1.6.23
Plugin icon
internal-links
Fixed in 2.25.2
Plugin icon
joli-table-of-contents
Fixed in 2.6.1
Plugin icon
justified-gallery
Fixed in 1.10.0
Plugin icon
logo-showcase-with-slick-slider
Fixed in 3.2.9
Plugin icon
map-location-picker-at-checkout-for-woocommerce
Fixed in 1.10.8
Plugin icon
mapster-wp-maps
Fixed in 1.21.0
Plugin icon
master-addons
Fixed in 2.0.7.3
Plugin icon
menu-image
Fixed in 3.13
Plugin icon
mobile-menu
Fixed in 2.8.7
Plugin icon
music-player-for-elementor
Fixed in 2.4.4
Plugin icon
ocean-extra
Fixed in 2.4.4
Plugin icon
open-user-map
Fixed in 1.4.1
Plugin icon
pdf-poster
Fixed in 2.3.1
Plugin icon
post-list-designer
Fixed in 3.3.8
Plugin icon
post-slider-and-carousel
Fixed in 3.2.9
Plugin icon
post-smtp
Fixed in 3.1.0
Plugin icon
post-to-google-my-business
Fixed in 3.2.2
Plugin icon
premmerce-woocommerce-product-filter
No known fix
Plugin icon
primary-addon-for-elementor
Fixed in 1.6.5
Plugin icon
product-layouts
Fixed in 1.3.5
Plugin icon
radio-player
Fixed in 2.0.83
Plugin icon
radio-station
Fixed in 2.5.17
Plugin icon
remove-add-to-cart-woocommerce
No known fix
Plugin icon
restaurant-cafe-addon-for-elementor
Fixed in 1.6.1
Plugin icon
restricted-content
Fixed in 2.3.1
Plugin icon
role-and-customer-based-pricing-for-woocommerce
Fixed in 1.6.1
Plugin icon
security-ninja
Fixed in 5.225
Plugin icon
send-users-email
Fixed in 1.6.2
Plugin icon
share-this-image
Fixed in 2.08
Plugin icon
shortcodes-ultimate
Fixed in 7.3.4
Plugin icon
simply-gallery-block
Fixed in 3.2.4.5
Plugin icon
smart-phone-field-for-gravity-forms
Fixed in 2.2.0
Plugin icon
spice-post-slider
Fixed in 2.2
Plugin icon
spotlight-social-photo-feeds
Fixed in 1.7.1
Plugin icon
streamweasels-twitch-integration
Fixed in 1.9.3
Plugin icon
tablepress
Fixed in 3.0.3
Plugin icon
tablesome
Fixed in 1.1.17
Plugin icon
text-to-audio
Fixed in 1.8.12
Plugin icon
treepress
Fixed in 3.0.7
Plugin icon
tripetto
Fixed in 8.0.8
Plugin icon
ultimeter
Fixed in 3.0.7
Plugin icon
unlimited-elements-for-elementor
Fixed in 1.5.141
Plugin icon
url-shortify
Fixed in 1.10.5.1
Plugin icon
wc-cashapp
No known fix
Plugin icon
wc-hkdigital-acba-gateway
No known fix
Plugin icon
wc-place-order-without-payment
Fixed in 2.6.7
Plugin icon
wc-thanks-redirect
Fixed in 4.2.1
Plugin icon
webba-booking-lite
Fixed in 5.1.8
Plugin icon
widget-for-eventbrite-api
Fixed in 6.1.11
Plugin icon
widgets-on-pages
No known fix
Plugin icon
woo-authorize-net-gateway-aim
Fixed in 6.1.14
Plugin icon
woo-conditional-payment-gateways
Fixed in 1.16.4
Plugin icon
woo-coupon-usage
Fixed in 5.19.0
Plugin icon
woo-floating-cart-lite
No known fix
Plugin icon
woo-permalink-manager
No known fix
Plugin icon
woocommerce-pay-per-post
Fixed in 3.1.28
Plugin icon
woocustomizer
Fixed in 2.6.0
Plugin icon
wp-auto-republish
No known fix
Plugin icon
wp-books-gallery
Fixed in 4.7.6
Plugin icon
wp-coupons-and-deals
Fixed in 3.2.3
Plugin icon
wp-data-access
Fixed in 5.5.32
Plugin icon
wp-fail2ban
Fixed in 5.4.0
Plugin icon
wp-letsencrypt-ssl
Fixed in 7.7.3
Plugin icon
wp-meta-and-date-remover
Fixed in 2.3.5
Plugin icon
wp-notification-bell
Fixed in 1.4.3
Plugin icon
wp-post-author
Fixed in 3.8.4
Plugin icon
wp-sheet-editor-bulk-spreadsheet-editor-for-posts-and-pages
Fixed in 2.25.19
Plugin icon
wp-stripe-donation
Fixed in 3.2.9
Plugin icon
wp-top-news
Fixed in 2.4.3
Plugin icon
wpbits-addons-for-elementor
No known fix
Plugin icon
wpide
Fixed in 3.5.2
Plugin icon
wps-team
Fixed in 3.3.2
Plugin icon
xt-woo-quick-view-lite
No known fix
Plugin icon
xt-woo-variation-swatches
Fixed in 1.9.7
Plugin icon
yet-another-stars-rating
Fixed in 3.4.15

References

CVE
CVE-2024-13362
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f5-4418-805a-db792ea4f712

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Asaf Mozes
Verified
No
WPVDB ID
d4eb5de8-bb2c-4eee-b4cd-b65fde3013ff

Timeline

Publicly Published
2026-04-30 (about 13 days ago)
Added
2026-05-04 (about 9 days ago)
Last Updated
2026-05-04 (about 9 days ago)

Other

Published
Title
Published
2026-01-16
Title
Dooodl <= 2.3.0 - Reflected Cross-Site Scripting
Published
2015-07-16
Title
Download Manager <= 2.7.94 - Authenticated Stored XSS
Published
2023-03-22
Title
W4 Post List < 2.4.6 - Contributor+ Stored XSS
Published
2025-04-01
Title
Eventbee RSVP Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-04-21
Title
Switch CTA Box <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode