vulnerability

WordPress Plugin: cartflows: CVE-2021-24330: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:S/C:N/I:P/A:N)	May 17, 2021	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:N/I:P/A:N)

Published

May 17, 2021

Added

May 15, 2025

Modified

May 15, 2025

Description

The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.

Solution

cartflows-plugin-cve-2021-24330

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24330
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/083d368c-ba38-433a-b499-c00d205bd331?source=api-prod
CVE-2021-24330
https://attackerkb.com/topics/CVE-2021-24330

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today