Search criteria
2 vulnerabilities found for Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress by Unknown
CVE-2021-24330 (GCVE-0-2021-24330)
Vulnerability from nvd – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
VLAI?
Title
Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
Summary
The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress |
Affected:
1.6.13 , < 1.6.13
(custom)
|
Credits
m0ze
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.13",
"status": "affected",
"version": "1.6.13",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:33:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24330",
"STATE": "PUBLIC",
"TITLE": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.6.13",
"version_value": "1.6.13"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24330",
"datePublished": "2021-06-01T11:33:31",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24330 (GCVE-0-2021-24330)
Vulnerability from cvelistv5 – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
VLAI?
Title
Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
Summary
The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress |
Affected:
1.6.13 , < 1.6.13
(custom)
|
Credits
m0ze
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.13",
"status": "affected",
"version": "1.6.13",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:33:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24330",
"STATE": "PUBLIC",
"TITLE": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.6.13",
"version_value": "1.6.13"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24330",
"datePublished": "2021-06-01T11:33:31",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}