Skip to main content

FunnelKit CVE-2026-12978

| EUVDEUVD-2026-44881 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 WPScan GHSA-j8mc-rrx2-537q
7.1
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Unauthenticated reflected XSS (PR:N) needs victim interaction (UI:R) and crosses into the browser context (S:C) with low confidentiality/integrity impact; no genuine availability impact so A:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Jul 16, 2026 - 13:23 vuln.today
CVSS changed
Jul 16, 2026 - 13:22 NVD
7.1 (HIGH)
Patch available
Jul 16, 2026 - 10:18 EUVD
CVE Published
Jul 16, 2026 - 06:00 cve.org
HIGH 7.1
CVE Published
Jul 16, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.

AnalysisAI

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link to FunnelKit Divi AJAX action
Delivery
Deliver crafted link to logged-in user
Exploit
Victim opens page, payload reflected unescaped
Execution
Script executes in authenticated session
Impact
Steal session or act as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the Divi builder to be active on the target WordPress site, because the vulnerable page-builder AJAX action is only registered under that condition - sites running FunnelKit without Divi are not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) driven largely by the scope change (S:C) and network vector, but real-world risk is moderated by several factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the FunnelKit Divi page-builder AJAX endpoint embedding a malicious script in the vulnerable parameter and sends it to a WordPress administrator or editor (e.g., via phishing email or a comment). When the logged-in user opens the link, the unescaped parameter is reflected into the HTML response and the script executes in their authenticated session, enabling session/cookie theft or actions performed as that user. …
Remediation Vendor-released patch: upgrade FunnelKit to version 3.15.0.6 or later, which is the primary and definitive fix per the vendor advisory referenced by WPScan (https://wpscan.com/vulnerability/1b22645b-28cb-44f3-a5b9-c81a40175e59/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using FunnelKit, determine current versions and Divi integration status, and prioritize customer-facing or administrative sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy