vulnerability

WordPress Plugin: cartflows: CVE-2021-24330: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:S/C:N/I:P/A:N)	May 17, 2021	May 15, 2025	Apr 30, 2026

Severity

CVSS

(AV:N/AC:M/Au:S/C:N/I:P/A:N)

Published

May 17, 2021

Added

May 15, 2025

Modified

Apr 30, 2026

Description

The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.

Solution

cartflows-plugin-cve-2021-24330

References

https://www.cve.org/CVERecord?id=CVE-2021-24330
https://www.wordfence.com/threat-intel/vulnerabilities/id/083d368c-ba38-433a-b499-c00d205bd331?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-11243
CVE-2021-24330
https://attackerkb.com/topics/CVE-2021-24330
CWE-79
EUVD-EUVD-2021-11243

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report