Posts

CVE-2024-6288: Reflected XSS in Conversios WooCommerce Tracking

A reflected cross-site scripting issue in the Conversios WooCommerce tracking plugin.

CVE-2024-6288 is a reflected cross-site scripting issue in the Conversios WordPress plugin for WooCommerce tracking and analytics integrations.

The public advisory describes the vulnerable input as the tiktok_user_id parameter. Versions up to and including 7.1.0 did not sufficiently sanitize input and escape output for that value, making it possible for an unauthenticated attacker to inject script that would execute if they could convince a user to open a crafted link.

Summary card for CVE-2024-6288 showing affected product, impact, and CVSS score
CVE-2024-6288 affected Conversios versions up to and including 7.1.0. As of June 2026, WordPress.org lists the plugin at 10,000+ active installations.

The bug

This was a classic reflected XSS pattern: a request parameter reached generated HTML without enough validation and escaping.

The detail that made it worth reporting was where it appeared. Analytics and advertising plugins often sit close to high-value business workflows: conversion tracking, product feeds, campaign pixels, and storefront pages. They also tend to carry a lot of configuration surface because they integrate with several external services at once.

Why it mattered

The CVSS score was 4.7 medium, with user interaction required. That is the right shape for a reflected XSS issue: the attacker needs a victim to open a crafted URL.

Even with that limitation, XSS in a WordPress context can still matter. If the wrong user opens the link while authenticated, the script runs inside the site's origin. That can expose session-adjacent page data, perform actions available to the victim, or become a stepping stone into a broader attack chain.

Fix

Conversios patched the issue in version 7.1.1. Site owners should update to 7.1.1 or newer.

References