Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
Admin credentials required (PR:H); scope changes (S:C) because deletion reaches other plugins; no confidentiality impact as only deletion occurs.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).
AnalysisAI
Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress administrator account (PR:H confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.5 (Medium) is grounded in PR:H, which substantially limits the attacker pool to authenticated WordPress administrators - a small, privileged group. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained WordPress administrator credentials - via credential stuffing, phishing, or account takeover - logs into the WordPress admin panel of a site running FunnelKit prior to 3.15.0.6. During a template-import operation, the attacker submits a crafted file path containing traversal sequences (e.g., ../../woocommerce/data/countries.json) as the deletion target. … |
| Remediation | The primary remediation is to update FunnelKit to version 3.15.0.6 or later, which introduces path validation on the template-import file-deletion handler to prevent traversal outside the permitted directory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44882
GHSA-565q-5g57-qm5p