CVE-2025-7654

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-7654
Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make privilege escalation possible. Please note both FunnelKit – Funnel Builder for WooCommerce Checkout AND FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce are affected by this.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.11.0.2/woofunnels/includes/class-bwf-data-tags.php#L52
https://plugins.trac.wordpress.org/browser/wp-marketing-automations/tags/3.6.3/woofunnels/includes/class-bwf-data-tags.php#L52
https://www.wordfence.com/threat-intel/vulnerabilities/id/bc0983d7-6c7e-41cb-8997-578d362d9c9f?source=cve
Configurations

No configuration.

History

19 Aug 2025, 13:42

Type Values Removed Values Added
Summary
  • (es) Varios complementos de FunnelKit son vulnerables a la exposición de información confidencial a través del shortcode wf_get_cookie. Esto permite que atacantes autenticados, con acceso de colaborador o superior, extraigan datos confidenciales, incluyendo cookies de autenticación de otros usuarios del sitio, lo que podría permitir la escalada de privilegios. Tenga en cuenta que tanto FunnelKit (Funnel Builder para WooCommerce Checkout) como FunnelKit Automations (Automatización de email marketing y CRM para WordPress y WooCommerce) se ven afectados por esto.

19 Aug 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-19 08:15

Updated : 2025-08-19 13:42

NVD link : CVE-2025-7654

Mitre link : CVE-2025-7654

CVE.ORG link : CVE-2025-7654

JSON object : View

Products Affected

No product.

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor