Skip to main content

Funnelkit

2 CVEs product

Monthly

CVE-2026-12979 MEDIUM POC PATCH This Month

Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.

Path Traversal Denial Of Service WordPress Funnelkit
NVD WPScan
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-12978 HIGH POC PATCH This Week

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.

WordPress XSS Funnelkit
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.

Path Traversal Denial Of Service WordPress +1
NVD WPScan
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.

WordPress XSS Funnelkit
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy