Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Pre-auth network-reachable SQLi on a WordPress plugin justifies AV:N/AC:L/PR:N/UI:N; scope change to the shared DB warrants S:C with C:H read access and A:L for query load, I:N per description.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.
AnalysisAI
SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.
Technical ContextAI
Funnel Builder by FunnelKit is a WordPress plugin used to build sales funnels, checkout flows, and marketing automation pipelines, typically integrated with WooCommerce. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated into SQL queries without proper sanitization or prepared statements. The CPE cpe:2.3:a:funnelkit:funnel_builder_by_funnelkit:*:*:*:*:*:*:*:* confirms the affected product is the FunnelKit-published WordPress plugin across all versions up to the fixed release, with the WordPress MySQL/MariaDB backend as the targeted query interpreter.
RemediationAI
Patch available per vendor advisory - upgrade Funnel Builder by FunnelKit to the next release above 3.15.0.1 as published on the WordPress.org plugin repository and referenced in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-15-0-1-sql-injection-vulnerability). Until upgrade is possible, deploy a WordPress WAF rule (Patchstack, Wordfence, or equivalent) with virtual patching for this CVE, restrict access to funnel-related endpoints via IP allowlisting at the web server or CDN layer, and consider temporarily deactivating the plugin if funnel functionality is non-essential - note that deactivation will break any live checkout funnels and lead-capture pages. Review WordPress and MySQL logs for anomalous queries containing UNION, SLEEP, or BENCHMARK patterns targeting plugin endpoints to detect prior exploitation, and rotate database and admin credentials if compromise is suspected.
More in Funnel Builder By Funnelkit
View allBlind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticat
Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8)
Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36811
GHSA-927h-6rjm-j276