{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0626", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-05T21:49:40.411Z", "datePublished": "2026-04-04T11:16:13.764Z", "dateUpdated": "2026-04-08T16:41:23.537Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:23.537Z"}, "affected": [{"vendor": "getwpfunnels", "product": "WPFunnels \u2013 Funnel Builder for WooCommerce with Checkout & One Click Upsell", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPFunnels \u2013 Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2130847a-b6c5-412e-8d90-ba42d3fb21f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439366/wpfunnels/trunk/includes/core/shortcodes/templates/optin/form.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "timeline": [{"time": "2026-01-05T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-05T21:55:53.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T22:13:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T16:45:22.957985Z", "id": "CVE-2026-0626", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:46:25.948Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0626", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T16:45:22.957985Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:46:21.509Z"}}], "cna": {"title": "WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "getwpfunnels", "product": "WPFunnels \u2013 Funnel Builder for WooCommerce with Checkout & One Click Upsell", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.7.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-05T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-05T21:55:53.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T22:13:01.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2130847a-b6c5-412e-8d90-ba42d3fb21f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439366/wpfunnels/trunk/includes/core/shortcodes/templates/optin/form.php"}], "descriptions": [{"lang": "en", "value": "The WPFunnels \u2013 Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:23.537Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0626", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:23.537Z", "dateReserved": "2026-01-05T21:49:40.411Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T11:16:13.764Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPFunnels \u2013 Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-0626", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T12:16:02.787", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3439366/wpfunnels/trunk/includes/core/shortcodes/templates/optin/form.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2130847a-b6c5-412e-8d90-ba42d3fb21f6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.7.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WPFunnels \u2013 Funnel Builder for WooCommerce with Checkout & One Click Upsell", "source": "cna", "vendor": "getwpfunnels"}, "product": "wpfunnels_\u2013_funnel_builder_for_woocommerce_with_checkout_&_one_click_upsell", "vendor": "getwpfunnels"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T13:22:20.403585+00:00", "value": {"mitigation_remediation": ["Upgrade WPFunnels to the latest version that removes the vulnerability (3.8.0 or later).", "If an upgrade is not yet possible, delete or replace any pages that use the 'wpf_optin_form' shortcode until a patch is applied.", "Restrict contributor role access if not needed, or enforce stricter capability limits.", "Periodically scan content for unexpected scripts and monitor site activity."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This flaw affects WPFunnels \u2013 Funnel Builder for WooCommerce with Checkout & One Click Upsell, a plugin by getwpfunnels. All released versions up to and including 3.7.9 are impacted. Users of 3.8.0 or later, if available, are not affected.", "description_and_impact": "The WPFunnels WordPress plugin is vulnerable to stored cross\u2011site scripting through the 'wpf_optin_form' shortcode, specifically the 'button_icon' parameter. Because the plugin does not properly sanitize or escape user supplied data, an authenticated attacker with contributor level access can store malicious scripts into a page. When any visitor loads that page, the stored script executes in their browser, potentially allowing the attacker to perform client\u2011side attacks such as cookie theft, session hijacking, defacement, or redirection.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need valid contributor\u2011level credentials to inject the payload; therefore, the attack vector is internal, authenticated. Once injected, the script executes automatically whenever a page containing the 'wpf_optin_form' shortcode is accessed, giving the attacker a broad reach within the site."}}}}, "created": "2026-04-06T20:27:31.627860+00:00", "updated": "2026-04-06T22:20:50.594952+00:00", "vendors": ["getwpfunnels", "getwpfunnels$PRODUCT$wpfunnels_\u2013_funnel_builder_for_woocommerce_with_checkout_&_one_click_upsell", "wordpress", "wordpress$PRODUCT$wordpress"]}