CVE-2025-7654 – This vulnerability in FunnelKit plugins allows ... (How to Fix)

Q: What is the severity of CVE-2025-7654?

CVE-2025-7654 has a CVSS score of 8.8 (HIGH). This vulnerability in FunnelKit plugins allows authenticated attackers with Contributor-level access or higher to extract sensitive data including authentication cookies of other users via the wf_get_cookie shortcode. This could lead to privilege escalation attacks. Both FunnelKit Funnel Builder for WooCommerce Checkout and FunnelKit Automations are affected.

📋 TL;DR

This vulnerability in FunnelKit plugins allows authenticated attackers with Contributor-level access or higher to extract sensitive data including authentication cookies of other users via the wf_get_cookie shortcode. This could lead to privilege escalation attacks. Both FunnelKit Funnel Builder for WooCommerce Checkout and FunnelKit Automations are affected.

💻 Affected Systems

Products:

FunnelKit – Funnel Builder for WooCommerce Checkout
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

Versions: Versions before 3.11.0.2 for Funnel Builder and before 3.6.3 for Automations

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access with Contributor role or higher. Both plugins share vulnerable code in the woofunnels/includes/class-bwf-data-tags.php file.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to WordPress sites, compromise user accounts, steal sensitive data, and potentially take full control of affected websites.

🟠

Likely Case

Authenticated attackers with contributor access steal session cookies and escalate privileges to administrator or editor roles, gaining unauthorized access to sensitive site data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to potential data exposure from compromised contributor accounts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once an attacker has Contributor-level credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Funnel Builder 3.11.0.2+, FunnelKit Automations 3.6.3+

Vendor Advisory: https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.11.0.2/woofunnels/includes/class-bwf-data-tags.php#L52

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Update both FunnelKit Funnel Builder and FunnelKit Automations to latest versions. 4. Verify updates completed successfully.

🔧 Temporary Workarounds

Disable vulnerable shortcode

all

Remove or disable the wf_get_cookie shortcode functionality

Edit woofunnels/includes/class-bwf-data-tags.php and comment out or remove the wf_get_cookie shortcode registration

Restrict contributor access

all

Temporarily remove Contributor role access until patching

Use WordPress user management to downgrade or remove Contributor roles from untrusted users

🧯 If You Can't Patch

Implement strict access controls and monitor Contributor-level user activities
Deploy web application firewall rules to block suspicious shortcode usage

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins for FunnelKit plugin versions. Vulnerable if Funnel Builder < 3.11.0.2 or Automations < 3.6.3.

Check Version:

wp plugin list --name=funnel* --field=version (if WP-CLI installed)

Verify Fix Applied:

Confirm both plugins show updated versions: Funnel Builder ≥ 3.11.0.2 and Automations ≥ 3.6.3 in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual shortcode usage patterns
Multiple failed authentication attempts followed by successful Contributor login
Suspicious user role changes

Network Indicators:

HTTP requests containing wf_get_cookie parameter
Unusual cookie transmission patterns

SIEM Query:

source="wordpress" AND (plugin_version="funnel-builder" AND version<"3.11.0.2") OR (plugin_version="wp-marketing-automations" AND version<"3.6.3")

📊 Metadata

CVE ID: CVE-2025-7654

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

EPSS Score: 0.1% exploit probability (26.6th percentile)

Published: August 19, 2025

Last Updated: August 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7654, you might also want to check these: