Skip to main content

FunnelKit EUVDEUVD-2026-44882

| CVE-2026-12979 MEDIUM
External Control of File Name or Path (CWE-73)
2026-07-16 WPScan GHSA-565q-5g57-qm5p
5.5
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
vuln.today AI
5.5 MEDIUM

Admin credentials required (PR:H); scope changes (S:C) because deletion reaches other plugins; no confidentiality impact as only deletion occurs.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Jul 16, 2026 - 13:26 vuln.today
CVSS changed
Jul 16, 2026 - 13:22 NVD
5.5 (MEDIUM)
Patch available
Jul 16, 2026 - 10:18 EUVD
CVE Published
Jul 16, 2026 - 06:00 cve.org
MEDIUM 5.5
CVE Published
Jul 16, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).

AnalysisAI

Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise WordPress admin credentials
Delivery
Authenticate to WordPress admin panel
Exploit
Trigger FunnelKit template-import operation
Execution
Submit path-traversal payload as file path parameter
Persist
FunnelKit deletes targeted .json file outside plugin directory
Impact
Co-installed plugin loses configuration and fails (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress administrator account (PR:H confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.5 (Medium) is grounded in PR:H, which substantially limits the attacker pool to authenticated WordPress administrators - a small, privileged group. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WordPress administrator credentials - via credential stuffing, phishing, or account takeover - logs into the WordPress admin panel of a site running FunnelKit prior to 3.15.0.6. During a template-import operation, the attacker submits a crafted file path containing traversal sequences (e.g., ../../woocommerce/data/countries.json) as the deletion target. …
Remediation The primary remediation is to update FunnelKit to version 3.15.0.6 or later, which introduces path validation on the template-import file-deletion handler to prevent traversal outside the permitted directory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy