Search criteria
4 vulnerabilities found for Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more by alekv
CVE-2025-12545 (GCVE-0-2025-12545)
Vulnerability from cvelistv5 – Published: 2025-11-18 13:54 – Updated: 2025-11-18 14:27
VLAI?
Title
Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more <= 1.49.2 - Unauthenticated Information Exposure
Summary
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| alekv | Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more |
Affected:
* , ≤ 1.49.2
(semver)
|
Credits
Athiwat Tiprasaharn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T14:25:36.833401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T14:27:27.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more",
"vendor": "alekv",
"versions": [
{
"lessThanOrEqual": "1.49.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T13:54:50.617Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9babb946-4033-4e66-8f59-b73185ffcd49?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L343"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L1235"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-24T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-31T11:36:31.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T01:18:04.000+00:00",
"value": "Disclosed"
}
],
"title": "Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more \u003c= 1.49.2 - Unauthenticated Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12545",
"datePublished": "2025-11-18T13:54:50.617Z",
"dateReserved": "2025-10-31T11:20:54.685Z",
"dateUpdated": "2025-11-18T14:27:27.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6201 (GCVE-0-2025-6201)
Vulnerability from cvelistv5 – Published: 2025-06-19 02:10 – Updated: 2025-06-20 13:12
VLAI?
Title
Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Summary
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| alekv | Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more |
Affected:
* , ≤ 1.49.0
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-20T12:38:26.461264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T13:12:16.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more",
"vendor": "alekv",
"versions": [
{
"lessThanOrEqual": "1.49.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T02:10:36.805Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170a4cf2-d379-4c4e-b9e5-fb3b3bd91a40?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php#L289"
},
{
"url": "https://wordpress.org/plugins/woocommerce-google-adwords-conversion-tracking-tag/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3313714/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-18T11:16:34.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-06-18T13:52:25.000+00:00",
"value": "Disclosed"
}
],
"title": "Pixel Manager for WooCommerce (PRO) \u003c= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6201",
"datePublished": "2025-06-19T02:10:36.805Z",
"dateReserved": "2025-06-17T12:45:57.042Z",
"dateUpdated": "2025-06-20T13:12:16.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-12545 (GCVE-0-2025-12545)
Vulnerability from nvd – Published: 2025-11-18 13:54 – Updated: 2025-11-18 14:27
VLAI?
Title
Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more <= 1.49.2 - Unauthenticated Information Exposure
Summary
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| alekv | Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more |
Affected:
* , ≤ 1.49.2
(semver)
|
Credits
Athiwat Tiprasaharn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T14:25:36.833401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T14:27:27.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more",
"vendor": "alekv",
"versions": [
{
"lessThanOrEqual": "1.49.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T13:54:50.617Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9babb946-4033-4e66-8f59-b73185ffcd49?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L343"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L1235"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-24T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-31T11:36:31.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T01:18:04.000+00:00",
"value": "Disclosed"
}
],
"title": "Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more \u003c= 1.49.2 - Unauthenticated Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12545",
"datePublished": "2025-11-18T13:54:50.617Z",
"dateReserved": "2025-10-31T11:20:54.685Z",
"dateUpdated": "2025-11-18T14:27:27.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6201 (GCVE-0-2025-6201)
Vulnerability from nvd – Published: 2025-06-19 02:10 – Updated: 2025-06-20 13:12
VLAI?
Title
Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Summary
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| alekv | Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more |
Affected:
* , ≤ 1.49.0
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-20T12:38:26.461264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T13:12:16.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more",
"vendor": "alekv",
"versions": [
{
"lessThanOrEqual": "1.49.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pixel Manager for WooCommerce \u2013 Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T02:10:36.805Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170a4cf2-d379-4c4e-b9e5-fb3b3bd91a40?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php#L289"
},
{
"url": "https://wordpress.org/plugins/woocommerce-google-adwords-conversion-tracking-tag/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3313714/woocommerce-google-adwords-conversion-tracking-tag/trunk/includes/pixels/class-shortcodes.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-18T11:16:34.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-06-18T13:52:25.000+00:00",
"value": "Disclosed"
}
],
"title": "Pixel Manager for WooCommerce (PRO) \u003c= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6201",
"datePublished": "2025-06-19T02:10:36.805Z",
"dateReserved": "2025-06-17T12:45:57.042Z",
"dateUpdated": "2025-06-20T13:12:16.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}