A critical Cross-Site Scripting (XSS) vulnerability has been identified in the CartFlows Pro plugin, underscoring the significance of prioritizing WordPress security. This security flaw allows attackers to inject malicious scripts into a victim’s browser, potentially leading to data theft or other malicious activities. The discovery and responsible reporting of this vulnerability were attributed to Rafie Muhammad of Patchstack, highlighting the severity of the issue.

The vulnerability is a reflected XSS flaw found in the cartflows_pro_el_widgets_loader.php file. Attackers can exploit this vulnerability by luring victims into visiting specially crafted URLs.


The CVSS 3.1 score of 7.5 classifies this vulnerability as high severity, highlighting the potential for exploitation and significant impact on affected systems.

Affected Versions:

The vulnerability affects CartFlows Pro versions 1.11.11 and earlier, leaving older versions vulnerable to potential exploitation.


If exploited, this XSS vulnerability enables attackers to inject harmful scripts directly into a victim’s browser, potentially leading to the theft of cookies or session tokens, redirection to malicious websites, or execution of arbitrary commands on the victim’s computer.


To ensure the security of WordPress websites and protect against potential attacks, users of the CartFlows Pro plugin are strongly advised to take the following actions:

  1. Update to Version 1.11.12: Immediately update the CartFlows Pro plugin to version 1.11.12 or higher. This update includes the necessary fix to address the XSS vulnerability and enhance overall plugin security.
  2. Regular Security Checks: Conduct regular security checks of your WordPress website to identify and mitigate potential vulnerabilities proactively.
  3. Stay Informed: Keep abreast of security updates and advisories from the CartFlows Pro developers. Regularly check for plugin updates and apply them promptly.

By promptly updating to the latest version of CartFlows Pro, website owners can fortify their WordPress security posture and safeguard against potential exploits, ensuring a safe and secure experience for website visitors and users.