CVE-2021-24330

Name of the Vulnerable Software and Affected Versions The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin versions prior to 1.6.13

Description The issue concerns the plugin's failure to sanitize its facebook pixel id and google analytics id settings, allowing high-privilege users to set XSS payload in them. This can lead to the execution of the payload on pages generated by the plugin or the whole website, depending on the settings used.

Recommendations For versions prior to 1.6.13, update to version 1.6.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the facebook pixel id and google analytics id settings to prevent high-privilege users from setting XSS payloads.