CVE-2025-12878 is a stored cross-site scripting (XSS) vulnerability identified in the FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress, specifically affecting all versions up to and including 3.13.1.2. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied data in the `default` attribute of the `wfop_phone` shortcode. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored, it executes whenever any user accesses the infected page, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of the victim's browser session. The vulnerability does not require user interaction beyond visiting the compromised page, and the attack vector is remote network exploitation with low attack complexity. The CVSS v3.1 base score is 6.4, reflecting medium severity with partial impact on confidentiality and integrity but no impact on availability. No public exploits or patches are currently available, increasing the urgency for affected sites to implement mitigations. The vulnerability affects a widely used e-commerce plugin integrated with WooCommerce, a popular WordPress e-commerce platform, thus potentially impacting numerous online stores globally.

For European organizations, this vulnerability poses a significant risk to e-commerce websites using the FunnelKit plugin with WooCommerce. Successful exploitation could lead to theft of sensitive customer data such as session cookies, personal information, or payment details by executing malicious scripts in users' browsers. It could also enable attackers to perform unauthorized actions on behalf of legitimate users, potentially leading to fraudulent transactions or site defacement. The stored nature of the XSS means that once injected, the malicious payload can affect multiple visitors, amplifying the impact. This could damage brand reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause financial losses. Given the widespread adoption of WooCommerce in Europe, especially in countries with strong e-commerce sectors, the threat could affect a large number of small to medium-sized enterprises that rely on this plugin for checkout funnel management.

1. Immediate mitigation involves restricting Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input injection. 2. Implement Web Application Firewall (WAF) rules specifically targeting suspicious input patterns in the `wfop_phone` shortcode parameters to block exploit attempts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4. Regularly audit and sanitize all user-generated content and shortcode attributes before rendering them on pages. 5. Monitor plugin updates from the vendor and apply patches promptly once available. 6. Conduct security awareness training for site administrators and content contributors about the risks of XSS and safe content practices. 7. Consider temporarily disabling or replacing the FunnelKit plugin with alternative solutions until a secure version is released. 8. Use security plugins that detect and alert on suspicious script injections within WordPress environments.