Skip to main content

WPFunnels Pro CVE-2026-49778

| EUVDEUVD-2026-37624 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable XSS requiring victim click (UI:R); script runs in WordPress origin causing scope change with limited C/I/A impact on the admin session.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:02 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.

AnalysisAI

Stored or reflected cross-site scripting in WPFunnels Pro WordPress plugin versions 2.9.4 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 score of 7.1 reflects the scope-changed impact (S:C) on the WordPress site, including potential session hijacking of administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running WPFunnels Pro ≤2.9.4
Delivery
Craft URL with XSS payload
Exploit
Deliver link to WordPress admin
Execution
Victim clicks, script executes in admin session
Persist
Steal cookie or create rogue admin
Impact
Persist backdoor in site

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress site running WPFunnels Pro at version 2.9.4 or earlier with funnel pages or affected endpoints reachable by the attacker, and per CVSS UI:R it requires the victim to perform an action such as clicking a crafted link or loading a page that includes the malicious input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates remote, unauthenticated exploitation with low complexity, but requires victim interaction such as clicking a crafted link or visiting a malicious funnel page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or funnel page parameter containing a JavaScript payload targeting the vulnerable WPFunnels Pro endpoint, then distributes it via phishing email, forum post, or malvertising. When a logged-in WordPress administrator clicks the link, the script executes in their browser session and silently creates a new admin account or exfiltrates the authentication cookie. …
Remediation Upgrade WPFunnels Pro to the version released after 2.9.4 as documented in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpfunnels-pro/vulnerability/wordpress-wpfunnels-pro-plugin-2-9-4-cross-site-scripting-xss-vulnerability); no specific fixed version is stated in the available input, so verify the exact patched release on the vendor changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances for WPFunnels Pro versions 2.9.4 and earlier; document scope and criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy