Funnelkit
Monthly
Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.
Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.
Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.
Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.