CVE-2025-12878 is a stored cross-site scripting vulnerability identified in the FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress, affecting all versions up to and including 3.13.1.2. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping of the user-supplied `default` attribute in the `wfop_phone` shortcode. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially allowing attackers to hijack sessions, steal cookies, perform actions on behalf of users, or deface content. The vulnerability does not require user interaction beyond visiting the compromised page, and the attack complexity is low since it only requires authenticated access to inject the payload. The CVSS 3.1 base score is 6.4, indicating medium severity, with the vector showing network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. Currently, there are no known exploits in the wild, but the vulnerability poses a significant risk due to the widespread use of WooCommerce and FunnelKit in e-commerce sites. The lack of patches at the time of disclosure necessitates immediate mitigation efforts by affected organizations.

The impact of CVE-2025-12878 is primarily on the confidentiality and integrity of affected web applications. Successful exploitation allows attackers to execute arbitrary scripts in the context of users' browsers, leading to session hijacking, theft of sensitive information such as authentication tokens, and unauthorized actions performed on behalf of legitimate users. This can result in compromised user accounts, data leakage, and potential defacement or manipulation of e-commerce checkout processes, undermining customer trust and business reputation. Since the vulnerability requires authenticated access at Contributor level or higher, insider threats or compromised accounts can be leveraged to exploit this flaw. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the vulnerable component, potentially impacting other parts of the web application. Given the widespread deployment of WooCommerce and FunnelKit in online stores globally, the threat could affect a large number of e-commerce businesses, leading to financial losses and regulatory compliance issues if customer data is exposed.

To mitigate CVE-2025-12878, organizations should immediately upgrade the FunnelKit – Funnel Builder for WooCommerce Checkout plugin to a version where the vulnerability is patched once available. Until a patch is released, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script payloads in shortcode attributes can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers to restrict the execution of inline scripts and untrusted sources can reduce the impact of XSS attacks. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Monitoring logs for unusual shortcode usage or content changes may help detect exploitation attempts. Finally, educating content contributors about the risks of injecting untrusted content and encouraging safe content practices can further reduce exposure.