Skip to main content

FunnelKit Funnel Builder EUVDEUVD-2026-38713

| CVE-2026-56052 HIGH
SQL Injection (CWE-89)
2026-06-24 Patchstack GHSA-rj87-rfcc-35pw
7.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.6 HIGH

Network-reachable plugin endpoint (AV:N/AC:L) requires admin-level WordPress role (PR:H); blind SQLi reads cross-table data (S:C/C:H) with minor availability impact and no integrity change.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 08:00 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection.

This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5.

AnalysisAI

Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticated attackers with high privileges to inject arbitrary SQL queries against the underlying database. The flaw is reported by Patchstack and tracked as CWE-89; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege WordPress credentials
Delivery
Reach vulnerable Funnel Builder endpoint
Exploit
Inject blind SQL payload via parameter
Execution
Iteratively infer query results
Impact
Exfiltrate database contents across scope

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a WordPress site running the FunnelKit Funnel Builder plugin at version 3.15.0.5 or earlier, (2) network reachability to wp-admin or the plugin's AJAX/REST endpoints, and (3) an authenticated session at a high-privilege role (PR:H - typically Administrator or Shop Manager in WooCommerce terms) capable of reaching the vulnerable plugin handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) reflects a network-reachable, low-complexity attack that nonetheless requires high privileges (PR:H) - typically an admin or shop-manager role in WordPress - which materially limits realistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained or compromised a high-privilege WordPress account (administrator or shop manager) on a site running Funnel Builder ≤ 3.15.0.5 submits crafted input to a vulnerable plugin endpoint that is concatenated into a SQL query. Using boolean- or time-based blind techniques, they iteratively exfiltrate sensitive data such as wp_users.user_pass hashes, secret_keys, and customer PII from WooCommerce tables. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed from the supplied data - operators should upgrade FunnelKit Funnel Builder to the first release above 3.15.0.5 as soon as the vendor publishes it and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-15-0-5-sql-injection-vulnerability for the exact fixed build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances running FunnelKit versions up to 3.15.0.5; list all high-privilege user accounts with access to the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38713 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy