CVE-2025-67564 – This vulnerability in Pixel Manager for WooComm... (How to Fix)

Q: How do I fix CVE-2025-67564?

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Pixel Manager for WooCommerce'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify update completes successfully.

Q: What is the severity of CVE-2025-67564?

CVE-2025-67564 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Pixel Manager for WooCommerce exposes sensitive system information to unauthorized parties. It affects WordPress sites using this plugin, allowing attackers to retrieve embedded sensitive data. All users with versions up to and including 1.51.1 are vulnerable.

📋 TL;DR

This vulnerability in Pixel Manager for WooCommerce exposes sensitive system information to unauthorized parties. It affects WordPress sites using this plugin, allowing attackers to retrieve embedded sensitive data. All users with versions up to and including 1.51.1 are vulnerable.

💻 Affected Systems

Products:

Pixel Manager for WooCommerce (woocommerce-google-adwords-conversion-tracking-tag)

Versions: All versions through <= 1.51.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with this plugin enabled. No special configuration required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive configuration data, API keys, or other embedded secrets, potentially leading to further system compromise or data theft.

🟠

Likely Case

Unauthorized users accessing sensitive plugin configuration data that could be used for reconnaissance or targeted attacks.

🟢

If Mitigated

Limited exposure with proper access controls and network segmentation preventing external access to vulnerable endpoints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-497 typically involves simple information disclosure through accessible endpoints or responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.51.1

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/woocommerce-google-adwords-conversion-tracking-tag/vulnerability/wordpress-pixel-manager-for-woocommerce-plugin-1-51-1-sensitive-data-exposure-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Pixel Manager for WooCommerce'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate woocommerce-google-adwords-conversion-tracking-tag

Restrict Access

all

Use web application firewall to block access to plugin endpoints

🧯 If You Can't Patch

Implement strict network access controls to limit who can access WordPress admin and plugin endpoints
Monitor logs for unusual access patterns to plugin-related URLs and endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Pixel Manager for WooCommerce version <= 1.51.1

Check Version:

wp plugin get woocommerce-google-adwords-conversion-tracking-tag --field=version

Verify Fix Applied:

Verify plugin version is greater than 1.51.1 in WordPress admin or using: wp plugin get woocommerce-google-adwords-conversion-tracking-tag --field=version

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests to plugin-specific endpoints
Access to sensitive data disclosure endpoints

Network Indicators:

HTTP requests to /wp-content/plugins/woocommerce-google-adwords-conversion-tracking-tag/ endpoints returning sensitive data

SIEM Query:

source="web_access_logs" AND (uri="/wp-content/plugins/woocommerce-google-adwords-conversion-tracking-tag/*" OR user_agent CONTAINS "scanner")

📊 Metadata

CVE ID: CVE-2025-67564

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-497

EPSS Score: 0.04% exploit probability (11.6th percentile)

Published: December 9, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/woocommerce-google-adwords-conversion-tracking-tag/vulnerability/wordpress-pixel-manager-for-woocommerce-plugin-1-51-1-sensitive-data-exposure-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67564, you might also want to check these: