Description
The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘error’ parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
Published: 2025-07-24
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The FunnelCockpit WordPress plugin contains a reflected XSS flaw due to the unsanitized handling of the error parameter, which can be reflected in the page output. If an attacker can trick an administrative user into visiting a crafted URL containing the error value, the script will run in the admin’s browser, potentially stealing session cookies, defacing sites, or executing further attacks. The weakness is a classic input validation error (CWE‑79).

Affected Systems

All installations of the FunnelCockpit plugin for WordPress up to version 1.4.3 are affected. Users should verify whether their deployment is running any of these releases and plan an upgrade to a fixed version.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity vulnerability, and the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, but since it relies on social engineering to target administrators it can still pose a significant risk. The probable attack vector is an unauthenticated attacker sending a malicious link to a privileged user who follows it, leading to the execution of arbitrary client‑side code.

Generated by OpenCVE AI on April 20, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FunnelCockpit to the latest release (>=1.4.4) which removes the unsanitized error parameter.
  • If an immediate upgrade is not possible, modify the plugin’s output handling to escape the error parameter using WordPress’s esc_html() or similar functions before echoing it.
  • As a temporary measure, disable the error parameter or restrict its exposure by adding custom code that blocks its use from non‑admin contexts.

Generated by OpenCVE AI on April 20, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22493 The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘error’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘error’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link. The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘error’ parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
Title FunnelCockpit <= 1.4.2 - Reflected Cross-Site Scripting via `error` Parameter FunnelCockpit <= 1.4.3 - Reflected Cross-Site Scripting via `error` Parameter
References

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 24 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘error’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
Title FunnelCockpit <= 1.4.2 - Reflected Cross-Site Scripting via `error` Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:27.689Z

Reserved: 2025-06-24T22:09:45.476Z

Link: CVE-2025-6588

cve-icon Vulnrichment

Updated: 2025-07-24T13:10:33.312Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:27.977

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:15:06Z

Weaknesses