EUVD-2026-18991
GHSA-3j3p-4gr4-4r5f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The WPFunnels - Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Analysis
Stored cross-site scripting (XSS) in WPFunnels - Easy Funnel Builder plugin for WordPress versions up to 3.7.9 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript via the 'button_icon' parameter in the 'wpf_optin_form' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, potentially compromising website visitors and enabling session hijacking, credential theft, or malware distribution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today