Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Network-reachable plugin endpoint (AV:N/AC:L) requires admin-level WordPress role (PR:H); blind SQLi reads cross-table data (S:C/C:H) with minor availability impact and no integrity change.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection.
This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5.
AnalysisAI
Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticated attackers with high privileges to inject arbitrary SQL queries against the underlying database. The flaw is reported by Patchstack and tracked as CWE-89; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a WordPress site running the FunnelKit Funnel Builder plugin at version 3.15.0.5 or earlier, (2) network reachability to wp-admin or the plugin's AJAX/REST endpoints, and (3) an authenticated session at a high-privilege role (PR:H - typically Administrator or Shop Manager in WooCommerce terms) capable of reaching the vulnerable plugin handler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) reflects a network-reachable, low-complexity attack that nonetheless requires high privileges (PR:H) - typically an admin or shop-manager role in WordPress - which materially limits realistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained or compromised a high-privilege WordPress account (administrator or shop manager) on a site running Funnel Builder ≤ 3.15.0.5 submits crafted input to a vulnerable plugin endpoint that is concatenated into a SQL query. Using boolean- or time-based blind techniques, they iteratively exfiltrate sensitive data such as wp_users.user_pass hashes, secret_keys, and customer PII from WooCommerce tables. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed from the supplied data - operators should upgrade FunnelKit Funnel Builder to the first release above 3.15.0.5 as soon as the vendor publishes it and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-15-0-5-sql-injection-vulnerability for the exact fixed build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress instances running FunnelKit versions up to 3.15.0.5; list all high-privilege user accounts with access to the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Funnel Builder By Funnelkit
View allSQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthe
Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8)
Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38713
GHSA-rj87-rfcc-35pw