Skip to main content

Funnel Builder By Funnelkit

4 CVEs product

Monthly

CVE-2026-57816 HIGH This Week

Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS vector marks a scope change (S:C), the injected script runs beyond the vulnerable component and can affect the wider WordPress admin/site session context. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-56052 HIGH This Week

Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticated attackers with high privileges to inject arbitrary SQL queries against the underlying database. The flaw is reported by Patchstack and tracked as CWE-89; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS scope change combined with confidentiality impact indicates database contents beyond the plugin context can be exfiltrated one bit at a time via blind techniques.

SQLi Funnel Builder By Funnelkit
NVD VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-48966 HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42381 CRITICAL Act Now

SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.

SQLi Funnel Builder By Funnelkit
NVD
CVSS 3.1
9.3
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS vector marks a scope change (S:C), the injected script runs beyond the vulnerable component and can affect the wider WordPress admin/site session context. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticated attackers with high privileges to inject arbitrary SQL queries against the underlying database. The flaw is reported by Patchstack and tracked as CWE-89; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS scope change combined with confidentiality impact indicates database contents beyond the plugin context can be exfiltrated one bit at a time via blind techniques.

SQLi Funnel Builder By Funnelkit
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.

SQLi Funnel Builder By Funnelkit
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy