Skip to main content

Funnelforms Funnelforms Free CVE-2025-62758

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free funnelforms-free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through <= 3.8.

AnalysisAI

DOM-based cross-site scripting (XSS) in Funnelforms Free WordPress plugin version 3.8 and earlier allows authenticated attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability has a low EPSS score (0.04%, 14th percentile) and no confirmed active exploitation, suggesting limited real-world attack probability despite the XSS classification.

Technical ContextAI

This vulnerability stems from inadequate input sanitization in the Funnelforms Free WordPress plugin, specifically affecting DOM (Document Object Model) manipulation. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controlled input is directly reflected into the DOM without proper encoding or escaping. WordPress plugins handling form data are common XSS vectors because they process user input across multiple layers (client-side form handling, server-side processing, and database storage). The DOM-based variant indicates the vulnerability manifests in client-side JavaScript execution rather than server-side HTML generation, meaning the plugin likely fails to sanitize or encode data before inserting it into the DOM via JavaScript methods like innerHTML or document.write.

Affected ProductsAI

Funnelforms Free WordPress plugin versions 3.8 and earlier are affected. The plugin is available through the WordPress plugin repository and can be identified by the CPE designation for WordPress plugins (wp:funnelforms-free). Organizations running version 3.8 or any earlier release should prioritize assessment and patching.

RemediationAI

Update Funnelforms Free to version 3.9 or later immediately, which addresses the DOM-based XSS vulnerability through improved input sanitization. For WordPress administrators unable to upgrade immediately, restrict access to form creation and editing functionality to trusted users only, and audit existing form configurations for suspicious JavaScript payloads. For detailed guidance, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-cross-site-scripting-xss-vulnerability, which typically includes mitigation steps from the plugin vendor.

Share

CVE-2025-62758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy