Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelCockpit FunnelCockpit funnelcockpit allows Reflected XSS.This issue affects FunnelCockpit: from n/a through <= 1.4.3.
Published: 2025-05-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FunnelCockpit plugin for WordPress contains an improper neutralization of input during web page generation that allows attackers to inject arbitrary HTML or JavaScript into reflected responses. This vulnerability, classified as CWE‑79, leads to Reflected Cross‑Site Scripting. Based on the description, it is inferred that any user‑supplied input that is reflected directly in the page can be exploited to inject malicious payloads, potentially enabling attackers to steal session cookies, hijack accounts, deface pages, or deliver phishing content to users who visit crafted URLs.

Affected Systems

WordPress installations running FunnelCockpit plugin version 1.4.3 or earlier are affected. The flaw is present in all releases from the earliest documented version up to and including 1.4.3.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1% suggests that, at present, the likelihood of exploitation is low. Based on the description, it is inferred that the vulnerability can be triggered by any external user who can influence a request to the plugin, such as clicking a specially crafted link or submitting a form that passes data to an endpoint that reflects it back. The flaw can therefore be exploited via arbitrary URLs or input fields that the plugin retains. The vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploitation campaigns, but the existence of the flaw warrants timely remediation.

Generated by OpenCVE AI on April 30, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FunnelCockpit plugin to the latest available version (1.4.4 or newer) which removes the reflected XSS flaw.
  • If an upgrade is not immediately possible, sanitize all user‑supplied input that is echoed back to the page using WordPress sanitization functions such as esc_html() or wp_kses() to neutralize potentially malicious payloads.
  • Deploy a web application firewall or implement a Content Security Policy that restricts inline script execution, limiting the impact of any XSS attempts that may still reach the browser.

Generated by OpenCVE AI on April 30, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28118 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelCockpit FunnelCockpit allows Reflected XSS. This issue affects FunnelCockpit: from n/a through 1.4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelCockpit FunnelCockpit allows Reflected XSS. This issue affects FunnelCockpit: from n/a through 1.4.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelCockpit FunnelCockpit funnelcockpit allows Reflected XSS.This issue affects FunnelCockpit: from n/a through <= 1.4.3.
Title WordPress FunnelCockpit plugin <= 1.4.2 - Reflected Cross Site Scripting (XSS) vulnerability WordPress FunnelCockpit plugin <= 1.4.3 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 May 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelCockpit FunnelCockpit allows Reflected XSS. This issue affects FunnelCockpit: from n/a through 1.4.2.
Title WordPress FunnelCockpit plugin <= 1.4.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:20:02.254Z

Reserved: 2025-05-07T10:45:37.286Z

Link: CVE-2025-47678

cve-icon Vulnrichment

Updated: 2025-05-23T17:22:53.038Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:43.103

Modified: 2026-04-23T15:30:43.933

Link: CVE-2025-47678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses