Skip to main content

Funnel Builder EUVDEUVD-2026-36811

| CVE-2026-42381 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-927h-6rjm-j276
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Pre-auth network-reachable SQLi on a WordPress plugin justifies AV:N/AC:L/PR:N/UI:N; scope change to the shared DB warrants S:C with C:H read access and A:L for query load, I:N per description.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:04 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.

AnalysisAI

SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.

Technical ContextAI

Funnel Builder by FunnelKit is a WordPress plugin used to build sales funnels, checkout flows, and marketing automation pipelines, typically integrated with WooCommerce. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated into SQL queries without proper sanitization or prepared statements. The CPE cpe:2.3:a:funnelkit:funnel_builder_by_funnelkit:*:*:*:*:*:*:*:* confirms the affected product is the FunnelKit-published WordPress plugin across all versions up to the fixed release, with the WordPress MySQL/MariaDB backend as the targeted query interpreter.

RemediationAI

Patch available per vendor advisory - upgrade Funnel Builder by FunnelKit to the next release above 3.15.0.1 as published on the WordPress.org plugin repository and referenced in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-15-0-1-sql-injection-vulnerability). Until upgrade is possible, deploy a WordPress WAF rule (Patchstack, Wordfence, or equivalent) with virtual patching for this CVE, restrict access to funnel-related endpoints via IP allowlisting at the web server or CDN layer, and consider temporarily deactivating the plugin if funnel functionality is non-essential - note that deactivation will break any live checkout funnels and lead-capture pages. Review WordPress and MySQL logs for anomalous queries containing UNION, SLEEP, or BENCHMARK patterns targeting plugin endpoints to detect prior exploitation, and rotate database and admin credentials if compromise is suspected.

Share

EUVD-2026-36811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy