CVE-2024-6288: Reflected XSS in Conversios WooCommerce Tracking
A reflected cross-site scripting issue in the Conversios WooCommerce tracking plugin.
CVE-2024-6288 is a reflected cross-site scripting issue in the Conversios WordPress plugin for WooCommerce tracking and analytics integrations.
The public advisory describes the vulnerable input as the tiktok_user_id parameter. Versions up to and including 7.1.0 did not sufficiently sanitize input and escape output for that value, making it possible for an unauthenticated attacker to inject script that would execute if they could convince a user to open a crafted link.
The bug
This was a classic reflected XSS pattern: a request parameter reached generated HTML without enough validation and escaping.
The detail that made it worth reporting was where it appeared. Analytics and advertising plugins often sit close to high-value business workflows: conversion tracking, product feeds, campaign pixels, and storefront pages. They also tend to carry a lot of configuration surface because they integrate with several external services at once.
Why it mattered
The CVSS score was 4.7 medium, with user interaction required. That is the right shape for a reflected XSS issue: the attacker needs a victim to open a crafted URL.
Even with that limitation, XSS in a WordPress context can still matter. If the wrong user opens the link while authenticated, the script runs inside the site's origin. That can expose session-adjacent page data, perform actions available to the victim, or become a stepping stone into a broader attack chain.
Fix
Conversios patched the issue in version 7.1.1. Site owners should update to 7.1.1 or newer.