Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-7654

CVE-2025-7654: FunnelKit Information Disclosure Flaw

CVE-2025-7654 is an information disclosure vulnerability in FunnelKit plugins that allows authenticated attackers to extract sensitive data including authentication cookies. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7654 Overview

CVE-2025-7654 is a sensitive information exposure vulnerability affecting multiple FunnelKit plugins for WordPress and WooCommerce. The flaw resides in the wf_get_cookie shortcode, which fails to enforce access controls when returning cookie values. Authenticated attackers with Contributor-level access or higher can extract authentication cookies belonging to other site users. Stolen session cookies enable account takeover and privilege escalation against administrators. Both FunnelKit – Funnel Builder for WooCommerce Checkout and FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce are affected. The weakness is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.

Critical Impact

A low-privileged Contributor account can harvest administrator session cookies through a single shortcode invocation, enabling full WordPress site takeover.

Affected Products

  • FunnelKit – Funnel Builder for WooCommerce Checkout (through version 3.11.0.2)
  • FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce (through version 3.6.3)
  • WordPress sites running affected FunnelKit plugin versions with Contributor-level (or higher) user registration enabled

Discovery Timeline

  • 2025-08-19 - CVE-2025-7654 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7654

Vulnerability Analysis

The vulnerability lives in the wf_get_cookie shortcode handler defined in class-bwf-data-tags.php within both FunnelKit plugins. The shortcode accepts a cookie name as a parameter and returns the corresponding cookie value from the current request context. The handler does not restrict which cookies can be read, nor does it sanitize the requested cookie name against an allowlist.

WordPress shortcodes can be embedded by any user permitted to author content, including the Contributor role. When a Contributor publishes or previews content containing the shortcode, the server-side renderer resolves the shortcode against the requesting user's cookies. A more privileged user who later views that content unwittingly triggers reflection of their own authentication cookies into the rendered output.

Root Cause

The root cause is missing authorization and input validation on a data-emitting shortcode. The wf_get_cookie implementation treats cookie retrieval as a benign templating feature. It does not validate the caller's capability, restrict accessible cookie keys, or block sensitive prefixes such as wordpress_logged_in_ and wordpress_sec_.

Attack Vector

An attacker authenticates as a Contributor and embeds the wf_get_cookie shortcode referencing a WordPress authentication cookie name into a post or page. When an administrator previews, moderates, or visits the resulting content, the rendered HTML contains the administrator's session cookie. The attacker retrieves the cookie value through the rendered page or a callback channel and reuses it to impersonate the privileged user. Exploitation requires no user interaction beyond normal editorial review and works remotely over the network.

No verified proof-of-concept code is published. See the Wordfence Vulnerability Analysis and the vulnerable handler in the WordPress Funnel Builder Code for technical details.

Detection Methods for CVE-2025-7654

Indicators of Compromise

  • Posts, pages, or custom post types authored by Contributor-level accounts containing the [wf_get_cookie] shortcode or references to wf_get_cookie in post_content.
  • Unexpected administrator session activity from new IP addresses or user agents following Contributor content submissions.
  • Outbound HTTP requests from the WordPress host to attacker-controlled domains immediately after content preview by administrators.

Detection Strategies

  • Query the wp_posts table for the string wf_get_cookie across all post statuses, including drafts and revisions authored by non-administrator users.
  • Audit the WordPress access log for preview=true or p=<id> requests by administrators that follow content creation events by Contributors.
  • Inspect HTTP response bodies for leaked cookie strings matching wordpress_logged_in_* or wp-settings-* patterns.

Monitoring Recommendations

  • Forward WordPress audit logs and web server access logs to a centralized SIEM and alert on shortcode names associated with this CVE.
  • Monitor user role escalations and unexpected creation of administrator accounts in the wp_users and wp_usermeta tables.
  • Track plugin file integrity for class-bwf-data-tags.php to detect tampering or rollback to vulnerable versions.

How to Mitigate CVE-2025-7654

Immediate Actions Required

  • Update FunnelKit – Funnel Builder for WooCommerce Checkout and FunnelKit Automations to the latest patched releases published after the vulnerable versions 3.11.0.2 and 3.6.3 respectively.
  • Audit all Contributor, Author, and Editor accounts and remove unused or untrusted users; rotate passwords for any accounts that authored content during the exposure window.
  • Force a global logout by rotating WordPress authentication keys and salts in wp-config.php to invalidate any cookies that may have been exfiltrated.

Patch Information

FunnelKit has published fixed versions of both affected plugins. Site administrators should apply the vendor-supplied updates through the WordPress plugin updater or by replacing plugin files manually. Validate the fix by confirming the wf_get_cookie handler in class-bwf-data-tags.php now enforces capability checks and restricts accessible cookie names. Refer to the Wordfence Vulnerability Analysis for vendor patch version details.

Workarounds

  • Restrict content authoring roles to trusted users only and disable open user registration with Contributor defaults until the patch is applied.
  • Deploy a web application firewall rule that strips or blocks the wf_get_cookie shortcode from post content and request bodies.
  • Set the HttpOnly and Secure flags on WordPress authentication cookies through reverse proxy or security plugin configuration to limit cookie reuse from client-side contexts.
bash
# Configuration example: rotate WordPress salts to invalidate stolen cookies
# 1. Generate fresh keys from the WordPress secret-key API
curl https://api.wordpress.org/secret-key/1.1/salt/

# 2. Replace the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY,
#    AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT
#    constants in wp-config.php with the new values.

# 3. Force-update FunnelKit plugins via WP-CLI
wp plugin update funnel-builder wp-marketing-automations

# 4. Verify installed versions are above the vulnerable releases
wp plugin get funnel-builder --field=version
wp plugin get wp-marketing-automations --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne