CVE-2025-12878 is a stored Cross-Site Scripting vulnerability identified in the FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress, affecting all versions up to and including 3.13.1.2. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'default' attribute in the wfop_phone shortcode. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS v3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits are currently known, but the risk remains significant due to the widespread use of WooCommerce and FunnelKit in e-commerce websites. The vulnerability highlights a failure to properly sanitize user input and escape output in the plugin's shortcode processing, a common vector for stored XSS attacks in WordPress plugins. The flaw can be exploited by malicious contributors who can inject payloads that persist and affect other users, including administrators and customers. This can undermine trust, lead to data theft, and facilitate further attacks such as phishing or malware distribution. The vulnerability was reserved on November 7, 2025, and published on November 19, 2025, by Wordfence, with no patch links currently available, indicating that a fix is pending or in development.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the FunnelKit plugin, this vulnerability poses a significant risk to customer data confidentiality and website integrity. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site administrators, customers, or other users, potentially leading to session hijacking, theft of personal data, or unauthorized transactions. This can damage brand reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause financial losses. The medium severity rating reflects that while exploitation requires authenticated access, the impact on confidentiality and integrity is notable, and the scope includes potential compromise of multiple user accounts. The vulnerability could also be leveraged as a foothold for further attacks within the network. Given the importance of e-commerce in Europe and the reliance on WordPress plugins, the threat could disrupt business operations and customer trust if exploited.

1. Monitor official channels of the FunnelKit plugin vendor and WordPress security advisories for the release of a security patch and apply it immediately upon availability. 2. Until a patch is released, restrict Contributor-level access to trusted users only and review user roles and permissions to minimize risk. 3. Implement Web Application Firewall (WAF) rules that detect and block malicious script payloads targeting the wfop_phone shortcode or suspicious input patterns. 4. Conduct manual code review or apply custom input sanitization and output escaping for the 'default' attribute in the shortcode if feasible, to neutralize malicious scripts. 5. Regularly audit website content for unauthorized script injections and monitor logs for unusual contributor activity. 6. Educate site administrators and content contributors about the risks of XSS and safe content practices. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 8. Backup website data regularly to enable quick recovery in case of compromise.