CVE-2021-24330

CVE-2021-24330: Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID

Vendor Unknown

Product Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress

Weakness CWE-79 · XSS

Published June 1, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.

Key dates

02Disclosure timeline

June 1, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24330

Related vulnerabilities

04Related CVE

CVE-2025-8685 Wp chart generator <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpchart Shortcode CVE-2026-6696 Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter CVE-2024-56032 WordPress FV Descriptions plugin <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2022-2628 DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting CVE-2026-4069 Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter