A high-severity vulnerability has been identified in multiple FunnelKit plugins for WordPress, exposing sensitive information. An unauthenticated attacker can exploit a specific shortcode to read data stored in browser cookies, potentially leading to unauthorized access to user accounts and the theft of session information. Organizations using the affected plugins are at significant risk of data breaches and account takeovers.

The vulnerability exists within the wf_get_cookie shortcode implemented across several FunnelKit plugins. This shortcode is designed to retrieve and display the value of a specified cookie. Due to improper access control, this functionality can be triggered by an unauthenticated user, allowing them to craft requests that expose the contents of any cookie accessible to the web server, including sensitive session cookies, authentication tokens, and other user-specific data. An attacker could exploit this by injecting the shortcode into content that is processed by the server, such as a comment or a forum post, to exfiltrate cookie data from administrators or other users visiting the page.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to significant business consequences, including the compromise of user and administrator accounts. If an attacker successfully steals a privileged session cookie, they could gain full administrative access to the website, enabling them to deface the site, steal customer data, install malware, or disrupt business operations. This poses a direct risk of reputational damage, financial loss, and regulatory penalties associated with a data breach.

Immediate Action: Apply the security updates provided by the vendor across all affected FunnelKit plugins immediately. After patching, review web server and application access logs for any signs of exploitation, such as unusual requests containing the wf_get_cookie shortcode.

Proactive Monitoring: Configure security monitoring tools to search for and alert on the string [wf_get_cookie in web server access logs, particularly in POST request bodies and URL parameters. Monitor for unusual administrator session activity, such as logins from unexpected IP addresses or actions taken outside of normal business hours, which could indicate a session hijacking event.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block any requests containing the pattern [wf_get_cookie. As a temporary measure, consider disabling the affected plugins until they can be safely patched. Restricting permissions for untrusted users to post content that is rendered with shortcodes can also reduce the attack surface.

Public Exploit Available: false

Due to the high CVSS score of 8.8 and the direct risk of account takeover, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches to all affected systems. Although this vulnerability is not currently listed on the CISA KEV list, its severity and the potential for straightforward exploitation warrant treating it as a critical threat. In parallel with patching, organizations should implement the recommended monitoring controls to detect any potential compromise.