Impact
The vulnerability is an unauthenticated Cross Site Scripting (XSS) flaw present in the WPFunnels Pro WordPress plugin. The flaw allows an attacker to inject malicious scripts that are rendered in the browser of any user who views a page containing the plugin's interface. Successful exploitation could enable session hijacking, credential theft, defacement, or the execution of arbitrary client-side code. The weakness is a classic input validation issue, as categorized by CWE-79.
Affected Systems
Affected systems are sites running the WPFunnels Pro plugin version 2.9.4 or earlier. The plugin is distributed by WPFunnels and integrates with WordPress. Only the specified product and version range is affected; newer versions are not considered vulnerable.
Risk and Exploitability
The CVSS base score of 7.1 indicates a high severity, while the EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog. The description notes that the flaw is unauthenticated, so any visitor that can trigger the vulnerable code path can potentially execute their chosen script. As the flaw does not require elevated privileges on the host, the risk of exploitation remains tangible if an attacker can elicit the vulnerable request.
OpenCVE Enrichment