CVE-2026-0626

Name of the Vulnerable Software and Affected Versions WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales versions up to and including 3.7.9

Description The WPFunnels plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'wpf optin form' shortcode. Insufficient input sanitization and output escaping of the button icon parameter allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts will execute when a user accesses the compromised page.

Recommendations Update WPFunnels to a version beyond 3.7.9