Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated reflected XSS reachable over the network requires victim click (UI:R), executes in WordPress origin (S:C) with limited C/I/A impact bounded by victim privileges.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions.
AnalysisAI
Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in Funnel Builder by FunnelKit, a WordPress plugin used to build sales funnels, checkout pages, and marketing automation flows for WooCommerce. The affected CPE is cpe:2.3:a:funnelkit:funnel_builder_by_funnelkit covering all versions through 3.15.0.2. XSS in WordPress plugins typically results from unsanitized input being rendered without escaping in plugin-generated pages, shortcodes, or admin views, enabling attacker-controlled HTML/JavaScript to execute in a logged-in or anonymous user's browser session against the WordPress origin.
RemediationAI
Upgrade Funnel Builder by FunnelKit to a version newer than 3.15.0.2 once the vendor publishes a fixed release; refer to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-15-0-2-cross-site-scripting-xss-vulnerability for the patched version and vendor changelog. Patch status from input: patch availability not explicitly stated, so treat as no vendor-released patch independently confirmed at time of analysis and monitor the vendor changelog. As compensating controls until patched, consider deploying a WAF rule or Patchstack mitigation to filter XSS payloads against plugin endpoints, enforcing a strict Content-Security-Policy that disallows inline scripts on funnel pages (side effect: may break legitimate inline JS in funnels), restricting admin access to known IPs to limit phishing impact on privileged users, and training admins to avoid clicking unsolicited links to plugin URLs.
More in Funnel Builder By Funnelkit
View allSQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthe
Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticat
Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8)
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36865
GHSA-r6wf-xf46-772h