{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6588", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-24T22:09:45.476Z", "datePublished": "2025-07-24T09:22:21.631Z", "dateUpdated": "2026-04-08T17:28:27.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:27.689Z"}, "affected": [{"vendor": "funnelcockpit", "product": "FunnelCockpit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018error\u2019 parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link."}], "title": "FunnelCockpit <= 1.4.3 - Reflected Cross-Site Scripting via `error` Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df2e744f-e1d6-4380-8e24-e98e9df4dd2f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/funnelcockpit/trunk/admin/class-funnelcockpit-admin.php#L433"}, {"url": "https://plugins.trac.wordpress.org/changeset/3337752"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nicolai Hellesnes"}], "timeline": [{"time": "2025-05-01T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-23T20:46:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:10:31.040051Z", "id": "CVE-2025-6588", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:10:35.907Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6588", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T13:10:31.040051Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:10:33.312Z"}}], "cna": {"title": "FunnelCockpit <= 1.4.3 - Reflected Cross-Site Scripting via `error` Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Nicolai Hellesnes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "funnelcockpit", "product": "FunnelCockpit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-01T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-23T20:46:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df2e744f-e1d6-4380-8e24-e98e9df4dd2f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/funnelcockpit/trunk/admin/class-funnelcockpit-admin.php#L433"}, {"url": "https://plugins.trac.wordpress.org/changeset/3337752"}], "descriptions": [{"lang": "en", "value": "The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018error\u2019 parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:27.689Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6588", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:27.689Z", "dateReserved": "2025-06-24T22:09:45.476Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T09:22:21.631Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018error\u2019 parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento FunnelCockpit para WordPress es vulnerable a Cross-Site Scripting reflejado a trav\u00e9s del par\u00e1metro 'error' en todas las versiones hasta la 1.4.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario administrador para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-6588", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T10:15:27.977", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/funnelcockpit/trunk/admin/class-funnelcockpit-admin.php#L433"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3337752"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df2e744f-e1d6-4380-8e24-e98e9df4dd2f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:08:25.595204+00:00", "value": {"mitigation_remediation": ["Upgrade FunnelCockpit to the latest release (>=1.4.4) which removes the unsanitized error parameter.", "If an immediate upgrade is not possible, modify the plugin\u2019s output handling to escape the error parameter using WordPress\u2019s esc_html() or similar functions before echoing it.", "As a temporary measure, disable the error parameter or restrict its exposure by adding custom code that blocks its use from non\u2011admin contexts."], "summary": {"action": "Patch Now", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the FunnelCockpit plugin for WordPress up to version 1.4.3 are affected. Users should verify whether their deployment is running any of these releases and plan an upgrade to a fixed version.", "description_and_impact": "The FunnelCockpit WordPress plugin contains a reflected XSS flaw due to the unsanitized handling of the error parameter, which can be reflected in the page output. If an attacker can trick an administrative user into visiting a crafted URL containing the error value, the script will run in the admin\u2019s browser, potentially stealing session cookies, defacing sites, or executing further attacks. The weakness is a classic input validation error (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity vulnerability, and the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, but since it relies on social engineering to target administrators it can still pose a significant risk. The probable attack vector is an unauthenticated attacker sending a malicious link to a privileged user who follows it, leading to the execution of arbitrary client\u2011side code."}}}}, "created": "2025-07-24T21:26:40.305995+00:00", "updated": "2026-04-20T20:15:06.220994+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}