WordPress Plugin Vulnerabilities

Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID

Description

The plugin did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.

Proof of Concept

Affects Plugins

Plugin icon
cartflows
Fixed in 1.6.13

References

CVE
CVE-2021-24330
URL
https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified
Yes
WPVDB ID
b9748066-83b7-4762-9124-de021f687477

Timeline

Publicly Published
2021-05-17 (about 4 years ago)
Added
2021-05-17 (about 4 years ago)
Last Updated
2021-05-18 (about 4 years ago)

Other

Published
Title
Published
2024-04-05
Title
Element Pack Elementor Addons < 5.5.4 - Contributor+ Stored XSS via Trailer Box Widget
Published
2023-02-02
Title
Avalex < 3.0.4 - Admin+ Stored XSS
Published
2024-03-25
Title
WP Fast Total Search < 1.60.213 - Authenticated (Contributor+) Stored Cross-Site Scripting via WPFTS Live Search Widget
Published
2024-11-28
Title
Mail Picker <= 1.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-21
Title
WP-Thumbnail <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode