Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free funnelforms-free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through <= 3.8.
Published: 2025-12-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Funnelforms Free plugin for WordPress contains a DOM-based Cross‑Site Scripting flaw caused by improper neutralization of user supplied input. When the plugin incorporates user data into web pages without adequate sanitization, an attacker can inject malicious JavaScript, potentially stealing session cookies, defacing the site, or delivering phishing attacks. This is a classic CWE‑79 vulnerability that directly affects the integrity and confidentiality of the site’s occupants.

Affected Systems

All WordPress installations that use the Funnelforms Free plugin version 3.8 or earlier are vulnerable. The affected product is the Funnelforms Free add‑on released by Funnelforms; no sub‑version details beyond the <=3.8 boundary are supplied.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as moderate severity. The EPSS score of less than 1% indicates that while the flaw exists, widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw without authentication by crafting URLs or form inputs that are reflected into the page DOM. Once the script runs in a victim’s browser, it can intercept credentials or perform other malicious actions. Thus, the risk is non‑negligible and mitigation is advised promptly.

Generated by OpenCVE AI on April 29, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Funnelforms Free plugin to a version newer than 3.8 to eliminate the unvalidated input path.
  • If an upgrade cannot be performed immediately, disable the plugin or restrict access to it from trusted administrator accounts only, preventing uncontrolled users from triggering the flaw.
  • Implement a Content Security Policy that disallows inline scripts and limits script sources, thereby reducing the impact of any potential XSS injection.
  • Validate or sanitize all user‑supplied data before rendering it in the page to address the underlying CWE‑79 weakness.

Generated by OpenCVE AI on April 29, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free funnelforms-free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through <= 3.8.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Funnelforms
Funnelforms funnelforms Free
Wordpress
Wordpress wordpress
Vendors & Products Funnelforms
Funnelforms funnelforms Free
Wordpress
Wordpress wordpress

Wed, 31 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8.
Title WordPress Funnelforms Free plugin <= 3.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Funnelforms Funnelforms Free
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:04.234Z

Reserved: 2025-10-21T14:59:54.790Z

Link: CVE-2025-62758

cve-icon Vulnrichment

Updated: 2026-01-05T20:30:27.531Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T09:15:51.473

Modified: 2026-04-23T15:34:41.303

Link: CVE-2025-62758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses