Overview
CVE-2025-12878 is a medium-severity security vulnerability affecting the FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress. Specifically, a Stored Cross-Site Scripting (XSS) vulnerability exists in versions up to and including 3.13.1.2. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into pages. When other users access these compromised pages, the injected script executes, potentially leading to account takeover, data theft, or other malicious activities.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping within the `wfop_phone` shortcode. The `default` attribute of this shortcode allows users to specify a default phone number. However, versions up to 3.13.1.2 fail to properly sanitize the input provided through this attribute and escape it when it is rendered in the page.
An attacker can craft a malicious `wfop_phone` shortcode with a `default` attribute containing arbitrary JavaScript code. For example:
[wfop_phone default="<script>alert('XSS Vulnerability!');</script>"]When a user visits a page containing this injected shortcode, the JavaScript code will execute in their browser.
The affected files are primarily within the `modules/optins/merge-tags/` directory of the plugin as highlighted in the reference links below. Specifically, these files show the lack of proper escaping:
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12878 is 6.4 (Medium).
This score reflects the following factors:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely.
- Attack Complexity (AC): Low (L) – Exploitation requires little specialized access or conditions.
- Privileges Required (PR): Low (L) – Requires Contributor-level access.
- User Interaction (UI): Required (R) – Requires a user to interact with the injected content.
- Scope (S): Changed (C) – An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
- Confidentiality Impact (C): Low (L) – Limited information disclosure.
- Integrity Impact (I): Low (L) – Limited modification of data.
- Availability Impact (A): None (N) – No impact on system availability.
Possible Impact
Successful exploitation of this XSS vulnerability could have several serious consequences:
- Account Takeover: An attacker could potentially steal user session cookies or credentials, leading to account compromise.
- Malicious Redirects: Injected scripts could redirect users to phishing sites or other malicious resources.
- Defacement: The injected scripts could modify the appearance of the affected pages, defacing the website.
- Data Theft: Sensitive user data displayed on the page could be harvested and stolen.
- Administrative Access: If an administrator views a page containing the malicious script, the attacker could gain administrative access to the WordPress site.
Mitigation and Patch Steps
The recommended solution is to update the FunnelKit – Funnel Builder for WooCommerce Checkout plugin to the latest version. Version 3.13.1.3 and later contain a fix for this vulnerability. You can update the plugin directly through the WordPress admin dashboard.
The fix included input sanitization and output escaping for the `default` attribute of the `wfop_phone` shortcode. The relevant changeset can be found here: Funnel Builder Changeset 3397106.
If you are unable to update immediately, consider temporarily disabling the plugin until an update can be performed. Alternatively, you could review all pages and posts using the `wfop_phone` shortcode and remove or sanitize any potentially malicious `default` attributes, although this is a less reliable approach.
