Skip to main content

FunnelKit Automations CVE-2026-39450

| EUVD-2026-36929 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-cpw9-rv4g-g54v
Information Disclosure Funnelkit Automations
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Remote HTTP reach (AV:N), no special conditions (AC:L), subscriber account required (PR:L), no user interaction (UI:N); broken auth lets attackers tamper with automation state (I:L) and disrupt the plugin (A:H), no clear data disclosure (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:32 vuln.today

DescriptionCVE.org

Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.

AnalysisAI

Broken authentication in the FunnelKit Automations WordPress plugin (versions <= 3.7.3) allows authenticated low-privilege users (subscribers) to bypass intended authentication controls, leading to integrity tampering and availability impact on the WordPress site. The flaw is reported by Patchstack and tracked as EUVD-2026-36929, with no public exploit identified at time of analysis and no CISA KEV listing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target site
Delivery
Authenticate to WordPress
Exploit
Send crafted request to vulnerable plugin endpoint
Execution
Bypass capability check via CWE-288 flaw
Persist
Invoke privileged automation action
Impact
Tamper with or disrupt FunnelKit workflows
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target WordPress site to have FunnelKit Automations plugin installed and active at version <= 3.7.3, and (2) the attacker to hold at least a subscriber-level WordPress account on the target site (PR:L) - trivially obtainable where 'Anyone can register' is enabled, otherwise requiring credential acquisition or insider access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H indicates a remotely reachable, low-complexity bypass requiring only a subscriber-level account, with no confidentiality impact but low integrity and high availability impact - consistent with an attacker tampering with automation/workflow state or deleting/disrupting funnels. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a target WordPress site running FunnelKit Automations <= 3.7.3 (or uses an existing low-privilege account), then sends a crafted authenticated HTTP request to a plugin AJAX or REST endpoint that fails to enforce capability checks, invoking a privileged automation action such as modifying or deleting funnels, broadcasts, or contact records. The result is integrity tampering of marketing-automation state and disruption of plugin availability for the site owner. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade FunnelKit Automations to the latest version above 3.7.3 published on the WordPress.org plugin repository and verify the changelog references this Patchstack report. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable open subscriber registration if operationally feasible; review subscriber account activity logs for suspicious changes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39450 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy