Skip to main content

Funnel Builder by FunnelKit EUVDEUVD-2026-36865

| CVE-2026-48966 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-r6wf-xf46-772h
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated reflected XSS reachable over the network requires victim click (UI:R), executes in WordPress origin (S:C) with limited C/I/A impact bounded by victim privileges.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:42 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions.

AnalysisAI

Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in Funnel Builder by FunnelKit, a WordPress plugin used to build sales funnels, checkout pages, and marketing automation flows for WooCommerce. The affected CPE is cpe:2.3:a:funnelkit:funnel_builder_by_funnelkit covering all versions through 3.15.0.2. XSS in WordPress plugins typically results from unsanitized input being rendered without escaping in plugin-generated pages, shortcodes, or admin views, enabling attacker-controlled HTML/JavaScript to execute in a logged-in or anonymous user's browser session against the WordPress origin.

RemediationAI

Upgrade Funnel Builder by FunnelKit to a version newer than 3.15.0.2 once the vendor publishes a fixed release; refer to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-15-0-2-cross-site-scripting-xss-vulnerability for the patched version and vendor changelog. Patch status from input: patch availability not explicitly stated, so treat as no vendor-released patch independently confirmed at time of analysis and monitor the vendor changelog. As compensating controls until patched, consider deploying a WAF rule or Patchstack mitigation to filter XSS payloads against plugin endpoints, enforcing a strict Content-Security-Policy that disallows inline scripts on funnel pages (side effect: may break legitimate inline JS in funnels), restricting admin access to known IPs to limit phishing impact on privileged users, and training admins to avoid clicking unsolicited links to plugin URLs.

Share

EUVD-2026-36865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy