Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network-reachable XSS requiring victim click (UI:R); script runs in WordPress origin causing scope change with limited C/I/A impact on the admin session.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.
AnalysisAI
Stored or reflected cross-site scripting in WPFunnels Pro WordPress plugin versions 2.9.4 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 score of 7.1 reflects the scope-changed impact (S:C) on the WordPress site, including potential session hijacking of administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a WordPress site running WPFunnels Pro at version 2.9.4 or earlier with funnel pages or affected endpoints reachable by the attacker, and per CVSS UI:R it requires the victim to perform an action such as clicking a crafted link or loading a page that includes the malicious input. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates remote, unauthenticated exploitation with low complexity, but requires victim interaction such as clicking a crafted link or visiting a malicious funnel page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or funnel page parameter containing a JavaScript payload targeting the vulnerable WPFunnels Pro endpoint, then distributes it via phishing email, forum post, or malvertising. When a logged-in WordPress administrator clicks the link, the script executes in their browser session and silently creates a new admin account or exfiltrates the authentication cookie. … |
| Remediation | Upgrade WPFunnels Pro to the version released after 2.9.4 as documented in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpfunnels-pro/vulnerability/wordpress-wpfunnels-pro-plugin-2-9-4-cross-site-scripting-xss-vulnerability); no specific fixed version is stated in the available input, so verify the exact patched release on the vendor changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress instances for WPFunnels Pro versions 2.9.4 and earlier; document scope and criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37624