Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress by Unknown

    CVE-2021-24330 (GCVE-0-2021-24330)

    Vulnerability from nvd – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
    VLAI
    Title
    Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
    Summary
    The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    m0ze
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.352Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.13",
                  "status": "affected",
                  "version": "1.6.13",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "m0ze"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-01T11:33:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24330",
              "STATE": "PUBLIC",
              "TITLE": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.6.13",
                                "version_value": "1.6.13"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "m0ze"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
                },
                {
                  "name": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt",
                  "refsource": "MISC",
                  "url": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24330",
        "datePublished": "2021-06-01T11:33:31.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.352Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24330 (GCVE-0-2021-24330)

    Vulnerability from cvelistv5 – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
    VLAI
    Title
    Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
    Summary
    The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    m0ze
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.352Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.13",
                  "status": "affected",
                  "version": "1.6.13",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "m0ze"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-01T11:33:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://m0ze.ru/vulnerability/%5B2021-04-26%5D-%5BWordPress%5D-%5BCWE-79%5D-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24330",
              "STATE": "PUBLIC",
              "TITLE": "Funnel Builder by CartFlows \u003c 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.6.13",
                                "version_value": "1.6.13"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "m0ze"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Funnel Builder by CartFlows \u2013 Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/b9748066-83b7-4762-9124-de021f687477"
                },
                {
                  "name": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt",
                  "refsource": "MISC",
                  "url": "https://m0ze.ru/vulnerability/[2021-04-26]-[WordPress]-[CWE-79]-Funnel-Builder-by-CartFlows-WordPress-Plugin-v1.6.12.txt"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24330",
        "datePublished": "2021-06-01T11:33:31.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.352Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }