CVE-2022-4782

MEDIUM

ClickFunnels < 3.1.1 - Stored Cross-Site Scripting via Shortcode Attribute

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-4782. PoCs published by Sudo-WP.

AI-analyzed exploit summary This repository is a security-patched fork of the legacy ClickFunnels Classic plugin, addressing CVE-2022-4782 (Stored XSS) and CVE-2022-47152 (CSRF). It includes documentation and code changes for hardening but does not contain exploit code.

Description

The ClickFunnels WordPress plugin through 3.1.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

Exploits (1)

nomisec WRITEUP

by Sudo-WP · poc

https://github.com/Sudo-WP/sudowp-clickfunnels-zurich

View Code ZIP pw:eip

This repository is a security-patched fork of the legacy ClickFunnels Classic plugin, addressing CVE-2022-4782 (Stored XSS) and CVE-2022-47152 (CSRF). It includes documentation and code changes for hardening but does not contain exploit code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Theoretical

Target: ClickFunnels Classic plugin (v3.1.1)

No auth needed

Prerequisites: WordPress installation with vulnerable ClickFunnels plugin

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/d3a0468a-8405-4b6c-800f-abd5ce5387b5

Scores

CVSS v3 5.4

EPSS 0.0044

EPSS Percentile 35.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

Status published

Products (1)

clickfunnels/clickfunnels < 3.1.1

Published Aug 16, 2023

Tracked Since Feb 18, 2026