{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12878", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T15:42:08.020Z", "datePublished": "2025-11-19T05:45:13.633Z", "dateUpdated": "2026-04-08T16:59:53.178Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:53.178Z"}, "affected": [{"vendor": "amans2k", "product": "FunnelKit \u2013 Funnel Builder for WooCommerce Checkout", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.13.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FunnelKit \u2013 Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied `default` attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "FunnelKit \u2013 Funnel Builder for WooCommerce Checkout <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f54053e-30ff-449b-b696-92d503011a4d?source=cve"}, {"url": "https://wordpress.org/plugins/funnel-builder"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L96"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L116"}, {"url": "https://plugins.trac.wordpress.org/changeset/3397106/funnel-builder/tags/3.13.1.3/merge-tags/class-bwf-contact-tags.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2025-11-13T07:27:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-18T17:41:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T20:28:23.012478Z", "id": "CVE-2025-12878", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:28:42.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12878", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T20:28:23.012478Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:28:37.563Z"}}], "cna": {"title": "FunnelKit \u2013 Funnel Builder for WooCommerce Checkout <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "amans2k", "product": "FunnelKit \u2013 Funnel Builder for WooCommerce Checkout", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.13.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-13T07:27:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-18T17:41:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f54053e-30ff-449b-b696-92d503011a4d?source=cve"}, {"url": "https://wordpress.org/plugins/funnel-builder"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L96"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L116"}, {"url": "https://plugins.trac.wordpress.org/changeset/3397106/funnel-builder/tags/3.13.1.3/merge-tags/class-bwf-contact-tags.php"}], "descriptions": [{"lang": "en", "value": "The FunnelKit \u2013 Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied `default` attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:53.178Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12878", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:53.178Z", "dateReserved": "2025-11-07T15:42:08.020Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-19T05:45:13.633Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FunnelKit \u2013 Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied `default` attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12878", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-19T06:15:47.180", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L30"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L96"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3397106/funnel-builder/tags/3.13.1.3/merge-tags/class-bwf-contact-tags.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/funnel-builder"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f54053e-30ff-449b-b696-92d503011a4d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:10:15.815902+00:00", "value": {"mitigation_remediation": ["Upgrade FunnelKit \u2013 Funnel Builder for WooCommerce Checkout to the latest patched release (\u2265\u202f3.13.1.3)", "Identify and remove any wfop_phone shortcodes that contain malicious default attributes", "Review and restrict Contributor\u2011level permissions on the WordPress site to limit the ability to inject shortcodes"], "summary": {"action": "Update Plugin", "impact": "Stored cross\u2011site scripting that allows authenticated contributors to inject scripts"}, "threat_synthesis": {"affected_systems": "WordPress sites running the FunnelKit \u2013 Funnel Builder for WooCommerce Checkout plugin by amans2k, versions 3.13.1.2 and earlier. All installations of the plugin that include the wfop_phone shortcode are affected until the plugin is upgraded to a patched release.", "description_and_impact": "The plugin contains a Stored Cross\u2011Site Scripting vulnerability (CWE\u201179) that allows authenticated users with Contributor level access or higher to inject arbitrary JavaScript into the default attribute of the wfop_phone shortcode. When a page containing that shortcode is viewed, the injected script executes in the victim's browser, providing attackers the ability to hijack sessions, deface content, or launch further attacks. This flaw does not impact unattended systems or users lacking Contributor rights, but any user who views the affected page can be compromised.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4 and an EPSS score of less than 1\u202f%. It is not listed in CISA\u2019s KEV catalog. Because it requires authenticated activity at the Contributor level or above, the exploitation likelihood is low on a site with strict role management, yet a compromised contributor can easily inject malicious content that will affect all users who view the page. Attackers could obtain access via phishing or exploiting other vulnerabilities to gain Contributor privileges before injecting the script."}}}}, "created": "2025-11-20T10:30:40.673591+00:00", "updated": "2026-04-21T18:15:36.375197+00:00", "vendors": ["funnelkit", "funnelkit$PRODUCT$funnel_builder", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}