Description
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that permits arbitrary script injection
Action: Update Plugin
AI Analysis

Impact

The Pixel Manager for WooCommerce plugin contains a stored cross‑site scripting vulnerability in its conversion‑pixel shortcodes. When a contributor or higher user supplies unsanitized attribute values, those values are rendered without proper escaping, enabling the attacker to inject arbitrary JavaScript. Executed scripts run in the context of any visitor who loads the affected page, potentially compromising user credentials, hijacking sessions, or redirecting traffic.

Affected Systems

The vulnerability affects the WordPress plugin Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing. All released versions up to and including 1.49.0 are affected. Any WordPress site running one of these versions, with an authenticated contributor‑level user, is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. It requires a contributor‑level or higher role to inject the malicious attribute, and the impact is felt by any visitor who loads the page where the stored script runs.

Generated by OpenCVE AI on April 22, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pixel Manager for WooCommerce to the latest released version, ensuring it is newer than 1.49.0.
  • If an upgrade is not immediately possible, restrict contributor-level access to the plugin or remove shortcodes that allow attribute injection until a patch is applied.
  • As a short‑term measure, modify the shortcode settings to block custom attribute input or replace the plugin's shortcodes with sanitized versions.
  • Implement site‑wide input validation and output escaping best practices, ensuring any user‑supplied value in shortcodes is sanitized before rendering.

Generated by OpenCVE AI on April 22, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28701 The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Jun 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:16.897Z

Reserved: 2025-06-17T12:45:57.042Z

Link: CVE-2025-6201

cve-icon Vulnrichment

Updated: 2025-06-20T12:38:27.511Z

cve-icon NVD

Status : Deferred

Published: 2025-06-19T03:15:26.017

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses