CVE-2025-12878
Description
The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wfop_phone shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied default attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in the FunnelKit WooCommerce funnel builder plugin via unfiltered `default` attribute in the `wfop_phone` shortcode, exploitable by Contributor-level attackers.
Vulnerability
Overview
The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress versions up to and including 3.13.1.2 is vulnerable to Stored Cross-Site Scripting (XSS). The flaw resides in the wfop_phone shortcode, where the default attribute is not properly sanitized or escaped when rendered on a page. This allows malicious HTML or JavaScript to be stored and executed in the context of a user's browser session [1].
Attack
Surface
An authenticated attacker with Contributor-level access or higher can inject arbitrary web scripts by supplying a crafted default value in the shortcode. No additional privileges are required beyond the Contributor role, which is commonly granted to lower-level content authors. The injected script will execute for any user who views the affected page, including administrators and store visitors [1].
Impact
Successful exploitation enables the attacker to perform a range of malicious actions, such as stealing session cookies, redirecting users to phishing sites, or modifying page content. Because the attack is stored, the payload persists until the shortcode is manually removed or the plugin is updated.
Mitigation
The vendor has addressed this vulnerability in version 3.13.1.3 and later. Users are strongly advised to update to the latest version immediately. No workarounds have been published, but disabling the shortcode or restricting Contributor permissions could reduce risk in the interim.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.13.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.phpnvd
- plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.phpnvd
- plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.phpnvd
- plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.phpnvd
- plugins.trac.wordpress.org/changeset/3397106/funnel-builder/tags/3.13.1.3/merge-tags/class-bwf-contact-tags.phpnvd
- wordpress.org/plugins/funnel-buildernvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6f54053e-30ff-449b-b696-92d503011a4dnvd
News mentions
0No linked articles in our index yet.