Vulnerabilities and security researches forcartflows cartflows

Jun 07, 2024

CVE, Research URL: CVE-2020-36736
Home page URL: Security reports for WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Application: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Date: Jul 01, 2023
Research Description: The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.15. This is due to missing or incorrect nonce validation on the export_json, import_json, and status_logs_file functions. This makes it possible for unauthenticated attackers to import/export settings and trigger logs showing via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.5.16.
Status: vulnerable

CVE, Research URL: CVE-2021-24330
Home page URL: Security reports for WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Application: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Date: Jun 01, 2021
Research Description: The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.
Affected versions: max 1.3.1.
Status: vulnerable

CVE, Research URL: CVE-2019-25151
Home page URL: Security reports for WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Application: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Date: Jun 07, 2023
Research Description: The Funnel Builder plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the activate_plugin function in versions up to, and including, 1.3.0. This makes it possible for authenticated attackers to activate any plugin on the vulnerable service.
Affected versions: max 1.3.1.
Status: vulnerable

CVE, Research URL: CVE-2024-29813
Home page URL: Security reports for WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Application: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Date: Mar 27, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CartFlows Inc. Funnel Builder by CartFlows allows Stored XSS.This issue affects Funnel Builder by CartFlows: from n/a through 2.0.1.
Affected versions: max 2.0.2.
Status: vulnerable

CVE, Research URL: -
Home page URL: Security reports for WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Application: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Date: Jun 07, 2023
Research Description: Rejected reason: CVE split into individual CVE IDs for each software record.
Affected versions: max 1.5.16.
Status: vulnerable

Jun 20, 2024

CVE, Research URL: CVE-2024-4632
Home page URL: Security reports for WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Application: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Date: Jun 19, 2024
Research Description: The WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.0.8.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2026-25316
Home page URL: Security reports for WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Application: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Date: Feb 19, 2026
Research Description: Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19.
Affected versions: max 2.1.19.
Status: vulnerable