CVE-2025-47678

Vulnerability

Overview

The FunnelCockpit plugin for WordPress versions 1.4.3 and earlier contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a web page response.

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. No authentication is needed; the attacker can deliver the malicious payload via a URL, causing the vulnerable plugin to reflect the input back to the requesting browser without proper sanitization.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to data theft, session hijacking, defacement, or redirection to malicious sites [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass exploitation campaigns targeting WordPress sites regardless of size or popularity.

Mitigation

The vulnerability is fixed in version 1.4.4 of the plugin. Users are strongly advised to update immediately [1]. Automatically enabling plugin updates or using a web application firewall rule that blocks reflected XSS payloads can provide protection until the update is applied. Patchstack has issued a mitigation rule for their customers [1].