CVE-2024-11938
Description
The One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress, Create WooCommerce Upsell, Post-Purchase Upsell & Cross Sell Offers that Boost Sales & Increase Profits with Sales Funnel Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wps_wocuf_pro_yes shortcode in all versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Insufficient input sanitization and output escaping on user-supplied attributes of the wps_wocuf_pro_yes shortcode allows stored cross-site scripting."
Attack vector
An authenticated attacker with at least contributor-level access can inject arbitrary JavaScript into a page by crafting malicious attribute values in the `wps_wocuf_pro_yes` shortcode [CWE-79]. Because the plugin fails to sanitize and escape these user-supplied attributes, the injected script is stored and executed in the browsers of any user who subsequently visits the affected page. The attack is network-based, requires low privileges, and does not require user interaction.
Affected code
The vulnerability resides in the `wps_wocuf_pro_yes` shortcode provided by the One Click Upsell Funnel for WooCommerce plugin. User-supplied attributes passed to this shortcode are not properly sanitized or escaped before being output, allowing stored cross-site scripting.
What the fix does
The advisory does not include a published patch diff, but the plugin's changelog indicates that version 3.4.10 (released 20 December 2024) contains a fix labeled 'Fix Security issues' [ref_id=1]. The remediation would involve adding proper input sanitization and output escaping to the `wps_wocuf_pro_yes` shortcode handler so that user-supplied attribute values are neutralized before being rendered in the page.
Preconditions
- authAttacker must have a WordPress account with at least Contributor-level privileges
- configThe vulnerable shortcode `wps_wocuf_pro_yes` must be usable on a post or page
- networkNetwork access to the WordPress site is required
- inputMalicious input is supplied via shortcode attributes
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/woo-one-click-upsell-funnel/tags/3.4.9/public/class-woocommerce-one-click-upsell-funnel-public.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/woo-one-click-upsell-funnel/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/4c10d6cb-e0a7-4b8d-b50f-e23885355872nvd
News mentions
0No linked articles in our index yet.