{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6201", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-17T12:45:57.042Z", "datePublished": "2025-06-19T02:10:36.805Z", "dateUpdated": "2026-04-08T16:37:16.897Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:16.897Z"}, "affected": [{"vendor": "alekv", "product": "Pixel Manager for WooCommerce \u2013 Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.49.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170a4cf2-d379-4c4e-b9e5-fb3b3bd91a40?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php#L289"}, {"url": "https://wordpress.org/plugins/woocommerce-google-adwords-conversion-tracking-tag/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3313714/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2025-06-18T11:16:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-18T13:52:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-20T12:38:26.461264Z", "id": "CVE-2025-6201", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T13:12:16.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6201", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-20T12:38:26.461264Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T12:38:27.511Z"}}], "cna": {"title": "Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "alekv", "product": "Pixel Manager for WooCommerce \u2013 Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.49.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-18T11:16:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-18T13:52:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170a4cf2-d379-4c4e-b9e5-fb3b3bd91a40?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php#L289"}, {"url": "https://wordpress.org/plugins/woocommerce-google-adwords-conversion-tracking-tag/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3313714/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php"}], "descriptions": [{"lang": "en", "value": "The Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:16.897Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6201", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:16.897Z", "dateReserved": "2025-06-17T12:45:57.042Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-19T02:10:36.805Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more para WordPress es vulnerable a Cross-site Scripting almacenado a trav\u00e9s del p\u00edxel de conversi\u00f3n del complemento en todas las versiones hasta la 1.49.0 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6201", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-19T03:15:26.017", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php#L289"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3313714/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/woocommerce-google-adwords-conversion-tracking-tag/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170a4cf2-d379-4c4e-b9e5-fb3b3bd91a40?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:48:58.664461+00:00", "value": {"mitigation_remediation": ["Upgrade Pixel Manager for WooCommerce to the latest released version, ensuring it is newer than 1.49.0.", "If an upgrade is not immediately possible, restrict contributor-level access to the plugin or remove shortcodes that allow attribute injection until a patch is applied.", "As a short\u2011term measure, modify the shortcode settings to block custom attribute input or replace the plugin's shortcodes with sanitized versions.", "Implement site\u2011wide input validation and output escaping best practices, ensuring any user\u2011supplied value in shortcodes is sanitized before rendering."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting that permits arbitrary script injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Pixel Manager for WooCommerce \u2013 Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing. All released versions up to and including 1.49.0 are affected. Any WordPress site running one of these versions, with an authenticated contributor\u2011level user, is at risk.", "description_and_impact": "The Pixel Manager for WooCommerce plugin contains a stored cross\u2011site scripting vulnerability in its conversion\u2011pixel shortcodes. When a contributor or higher user supplies unsanitized attribute values, those values are rendered without proper escaping, enabling the attacker to inject arbitrary JavaScript. Executed scripts run in the context of any visitor who loads the affected page, potentially compromising user credentials, hijacking sessions, or redirecting traffic.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. It requires a contributor\u2011level or higher role to inject the malicious attribute, and the impact is felt by any visitor who loads the page where the stored script runs."}}}}, "created": "2026-04-22T15:00:05.609765+00:00", "updated": "2026-04-22T15:00:05.609782+00:00", "vendors": []}