CVE-2025-7654 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in multiple FunnelKit plugins developed by amans2k, specifically FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce, and FunnelKit – Funnel Builder for WooCommerce Checkout. The vulnerability arises from improper handling of the wf_get_cookie shortcode, which can be leveraged by authenticated attackers with Contributor-level privileges or higher to retrieve sensitive data, including authentication cookies belonging to other users on the site. This exposure enables attackers to potentially escalate their privileges by hijacking sessions or impersonating higher-privileged users. The vulnerability affects all versions of the plugins, indicating a systemic issue in the codebase. The CVSS v3.1 base score is 8.8, reflecting a high severity with network attack vector, low attack complexity, and privileges required but no user interaction needed. The impact spans confidentiality, integrity, and availability, as attackers can gain unauthorized access and potentially disrupt site operations. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a critical concern for WordPress sites using these plugins, especially those handling sensitive customer data or e-commerce transactions.

The exploitation of CVE-2025-7654 can have severe consequences for organizations worldwide that use FunnelKit plugins on WordPress and WooCommerce platforms. Attackers with Contributor-level access can extract authentication cookies of other users, enabling session hijacking and privilege escalation to administrator or higher roles. This can lead to unauthorized access to sensitive customer data, manipulation of marketing automation workflows, fraudulent transactions, and potential full site compromise. The exposure of authentication cookies also undermines user trust and can result in regulatory non-compliance, especially in regions with strict data protection laws such as GDPR or CCPA. E-commerce sites relying on these plugins may face financial losses, reputational damage, and operational disruptions. Since the vulnerability requires only authenticated access with relatively low privileges, insider threats or compromised low-level accounts pose significant risks. The broad impact on confidentiality, integrity, and availability underscores the critical need for timely remediation.

To mitigate CVE-2025-7654, organizations should immediately verify if they are using any affected versions of FunnelKit Automations or FunnelKit Funnel Builder plugins. Since no official patches are currently listed, administrators should consider the following specific actions: 1) Restrict Contributor-level and higher access strictly to trusted users and review user roles to minimize unnecessary privileges. 2) Disable or restrict use of the wf_get_cookie shortcode in site content or templates until a patch is available. 3) Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the shortcode. 4) Monitor logs for unusual access patterns or attempts to retrieve cookie data. 5) Enforce multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of account compromise. 6) Regularly back up site data and configurations to enable rapid recovery in case of compromise. 7) Stay alert for vendor updates or patches and apply them promptly once released. 8) Conduct security audits and penetration testing focused on plugin vulnerabilities to identify and remediate similar issues proactively.