cleantalk
Vulnerabilities and Security Researches

Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels, CVE-2026-0626

CVE, Research URL

CVE-2026-0626

Home page URL

Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels

Application

Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels

Published on
Apr 04, 2026
Research Description
The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.8.0.
Status
vulnerable
Previous vulnerability researches
Verge3D Publishing and E-Commerce (CVE-2025-22709) , Jan 19, 2025
Verge3D Publishing and E-Commerce (CVE-2025-30833) , Apr 02, 2025
Verge3D Publishing and E-Commerce (CVE-2025-48241) , May 24, 2025
Verge3D Publishing and E-Commerce (CVE-2023-51421) , Jun 06, 2024
Verge3D Publishing and E-Commerce (CVE-2023-51420) , Jun 06, 2024
New vulnerability
Percent to Infograph (CVE-2026-1939) , Apr 16, 2026
Magic Login Mail (CVE-2026-2144) , Apr 16, 2026
PostmarkApp Email Integrator (CVE-2026-1043) , Apr 16, 2026
Name Directory (CVE-2026-1866) , Apr 15, 2026
Name Directory (CVE-2026-3178) , Apr 15, 2026