The vulnerability allows an attacker to store malicious JavaScript code in user-supplied input. When the stored data is later rendered by the FunnelCockpit plugin, the script executes in the browser of any user who views the affected page, potentially enabling session hijacking, phishing, or defacement. This weakness is identified as CWE‑79, which reflects its nature as an improper neutralization of input during web page generation.

All installations of the FunnelCockpit WordPress plugin with a version of 1.4.3 or earlier are impacted. The vulnerability enumeration indicates that any release from the initial public version up to and including 1.4.3 is affected. No higher versions are known to be vulnerable.

The CVSS score of 5.9 indicates a moderate severity threat. The EPSS score, shown as less than 1%, suggests that the probability of real‑world exploitation is very low at present, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is that an attacker supplies crafted input through any exposed form or content field that the plugin stores and serves back without proper sanitization. Because the flaw is stored XSS, it can affect all users who view the stored content, making the impact wide if exploited. However, the need for a valid user context means that access control and proper sanitization can mitigate or prevent exploitation if the plugin is patched or hidden from unauthenticated users.