CVE-2025-7654: 
WordPress vulnerability analysis and mitigation

Multiple FunnelKit plugins (FunnelKit - Funnel Builder for WooCommerce Checkout and FunnelKit Automations - Email Marketing Automation and CRM for WordPress & WooCommerce) are affected by a Sensitive Information Exposure vulnerability (CVE-2025-7654). The vulnerability was discovered and disclosed on August 19, 2025, affecting the wfgetcookie shortcode functionality (NVD).

The vulnerability exists in the wfgetcookie shortcode implementation within the class-bwf-data-tags.php file. It allows authenticated attackers with Contributor-level access or higher to extract sensitive data, including authentication cookies of other site users. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security issue with potential for significant impact (NVD).

The vulnerability enables authenticated attackers to access sensitive information, specifically authentication cookies belonging to other users of the site. This exposure of sensitive data could potentially lead to privilege escalation, allowing attackers to gain unauthorized access to user accounts (NVD).

The affected code has been identified in FunnelKit plugins version 3.11.0.2 and FunnelKit Automations version 3.6.3. Users should monitor for and apply security updates when available (WordPress Plugin, WordPress Plugin).