Pixel Manager for WooCommerce (PRO) < 1.49.1 – Authenticated (Contributor+) Cross-Site Scripting via Shortcode | CVE 2025-6201 | Plugin Vulnerabilities

Description

The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

woocommerce-google-adwords-conversion-tracking-tag

Fixed in 1.49.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/170a4cf2-d379-4c4e-b9e5-fb3b3bd91a40

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

theviper17y

Verified

No

WPVDB ID

f6349a4a-08e5-4039-ad10-ce83a6fd78fb

Timeline

Publicly Published

2025-06-18 (about 11 months ago)

Added

2025-06-18 (about 11 months ago)

Last Updated

2025-06-19 (about 11 months ago)

Other

Published

Title

Published

2026-01-09

Title

Shortcodes and extra features for Phlox theme < 2.17.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget

Published

2025-01-16

Title

WP Photo Sphere <= 3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-04-07

Title

Beaver Builder Page Builder – Drag and Drop Website Builder < 2.10.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'

Published

2025-04-01

Title

xili-language < 2.21.3 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

scorerender <= 0.3.4 - XSS in ZeroClipboard