Skip to main content

Cartflows

6 CVEs product

Monthly

CVE-2026-39477 MEDIUM This Month

Missing authorization in Brainstorm Force CartFlows WordPress plugin versions up to 2.2.3 allows authenticated attackers to modify data through incorrectly configured access control, enabling unauthorized changes to plugin settings or resources. CVSS 4.3 (low severity) with EPSS 0.02% indicates limited real-world exploitation probability; the vulnerability requires prior authentication and does not enable code execution or confidentiality breaches.

Authentication Bypass Cartflows
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2023-36685 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force US LLC CartFlows Pro allows Cross Site Request Forgery.11.12. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Cartflows
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2023-36686 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cartflows
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2020-36736 MEDIUM POC PATCH This Month

The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.15. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Cartflows
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2019-25151 MEDIUM POC This Month

The Funnel Builder plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the activate_plugin function in versions up to, and including, 1.3.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress Cartflows
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2021-24330 MEDIUM POC This Month

The Funnel Builder by CartFlows - Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Cartflows
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in Brainstorm Force CartFlows WordPress plugin versions up to 2.2.3 allows authenticated attackers to modify data through incorrectly configured access control, enabling unauthorized changes to plugin settings or resources. CVSS 4.3 (low severity) with EPSS 0.02% indicates limited real-world exploitation probability; the vulnerability requires prior authentication and does not enable code execution or confidentiality breaches.

Authentication Bypass Cartflows
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force US LLC CartFlows Pro allows Cross Site Request Forgery.11.12. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Cartflows
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cartflows
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.15. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Cartflows
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Funnel Builder plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the activate_plugin function in versions up to, and including, 1.3.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress Cartflows
NVD WPScan
EPSS 1% CVSS 4.8
MEDIUM POC This Month

The Funnel Builder by CartFlows - Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Cartflows
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy