Description
The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can be leveraged by authenticated users with contributor privileges or higher
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a stored cross‑site scripting flaw in the SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin. It is a CWE‑79 type weakness where user‑supplied attributes for the plugin’s Countdown block are neither sanitized nor properly escaped when stored. As a result, any authenticated user with contributor‑level access or higher can embed arbitrary JavaScript into a page. When visitors load the affected page, the injected scripts will execute within their browsers, potentially altering page content or injecting additional malicious code.

Affected Systems

The affected product is the SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) WordPress plugin, versions up to and including 1.6.0. All WordPress sites that install these versions and use the Countdown block are impacted.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. However, because the attack requires only contributor‑level access, an attacker with a compromised or malicious contributor account can quickly insert harmful scripts into site pages. The impact is limited to the browsers of visitors who view the injected page, but the injected script could alter page content or deface the site.

Generated by OpenCVE AI on April 22, 2026 at 00:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SlingBlocks plugin to a version newer than 1.6.0 where the sanitization issue has been fixed.
  • If an upgrade is not immediately possible, remove the plugin or disable the Countdown block to prevent further script injection until a patch is applied.
  • Review and restrict contributor‑level permissions to limit the number of users who can edit content, and enforce stricter role management to reduce the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 00:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25430 The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 21 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Funnelkit
Funnelkit slingblocks
Wordpress
Wordpress wordpress
Vendors & Products Funnelkit
Funnelkit slingblocks
Wordpress
Wordpress wordpress

Thu, 21 Aug 2025 05:45:00 +0000

Type Values Removed Values Added
Description The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Funnelkit Slingblocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:35.793Z

Reserved: 2025-08-05T19:07:48.033Z

Link: CVE-2025-8607

cve-icon Vulnrichment

Updated: 2025-08-21T14:53:47.964Z

cve-icon NVD

Status : Deferred

Published: 2025-08-21T06:15:35.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses