CVE-2026-0626
Stored XSS in WPFunnels Plugin via wpf_optin_form Shortcode
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_funnels | wpfunnels | to 3.7.9 (inc) |
| wp_funnels | wpfunnels | 3.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the WPFunnels β Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales WordPress plugin, specifically in versions up to and including 3.7.9. It is a Stored Cross-Site Scripting (XSS) issue caused by insufficient sanitization and escaping of the 'button_icon' parameter in the 'wpf_optin_form' shortcode.
This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the affected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts in the context of users visiting the infected pages. An attacker could exploit this to steal sensitive information, hijack user sessions, deface websites, or perform other malicious actions.
Since the attacker needs contributor-level access or above, the risk is elevated if such user accounts are compromised or misused.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WordPress site is running the WPFunnels plugin version 3.7.9 or earlier and if the 'wpf_optin_form' shortcode is used with a potentially malicious 'button_icon' parameter.
Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the 'button_icon' parameter, detection can include searching the database or site content for suspicious or unexpected HTML or JavaScript code injected into this parameter.
Suggested commands to detect potential exploitation or presence of malicious input include:
- Using WP-CLI to search posts or options for suspicious 'button_icon' content: `wp search-replace --regex --dry-run '<script' ''` or `wp db query "SELECT * FROM wp_posts WHERE post_content LIKE '%[wpf_optin_form%button_icon=%'"`
- Using SQL queries directly on the WordPress database to find shortcode usage with suspicious parameters: `SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[wpf_optin_form%button_icon=%<script%'`
- Monitoring HTTP requests and responses for injected scripts related to the 'button_icon' parameter in pages using the shortcode.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WPFunnels plugin to version 3.8.0 or later, where the vulnerability is fixed by sanitizing the 'button_icon' parameter using the wp_kses_post() function.
If updating immediately is not possible, restrict contributor-level and higher users from adding or editing content that uses the 'wpf_optin_form' shortcode with the 'button_icon' parameter.
Additionally, review and sanitize any existing content that uses the vulnerable shortcode to remove any malicious scripts.
Implement security best practices such as limiting user privileges, monitoring for suspicious activity, and applying web application firewalls that can detect and block XSS payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Stored Cross-Site Scripting (XSS) issue that allows authenticated users with contributor level access and above to inject arbitrary scripts that execute when other users access the affected pages.
Such vulnerabilities can potentially lead to unauthorized access to user data or session hijacking, which may impact compliance with data protection regulations like GDPR or HIPAA by compromising confidentiality and integrity of personal or sensitive information.
However, the provided context and resources do not explicitly discuss or analyze the impact of this vulnerability on compliance with specific standards or regulations.