Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

CVE-2026-56052

CVE-2026-56052 is a SQL Injection vulnerability in WordPress Funnel Builder by FunnelKit up to version 3.15.0.5. The root cause is improper neutralization of certain elements in SQL commands, enabling blind SQL injection. Affected product: Funnel Builder by FunnelKit (WordPress plugin). CVSS 3.1 ...

CVE-2026-48966

The CVE concerns the WordPress Funnel Builder by FunnelKit plugin (versions

CVE-2026-48966 WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.2 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Funnel Builder by FunnelKit = 3.15.0.2 versions...

CVE-2026-42381

CVE-2026-42381 affects WordPress Funnel Builder by FunnelKit plugin versions

WordPress FunnelKit plugin <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wfopphone Shortcode vulnerability discovered by zaim in WordPress Plugin Funnel Builder by FunnelKit versions = 3.13.1.2...

CVE-2025-14169

The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on th...

CVE-2025-14169

The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on th...

CVE-2025-14169 FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.5 - Unauthenticated SQL Injection

The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on th...

CVE-2025-14169

CVE-2025-14169 affects FunnelKit – Funnel Builder for WooCommerce Checkout (WordPress). Time-based blind SQL Injection via the opid parameter exists in all versions up to 3.13.1.5 due to insufficient escaping and poor SQL query preparation. Unauthenticated attackers could append additional SQL to...

CVE-2025-66067 WordPress Funnel Builder by FunnelKit plugin <= 3.13.1.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Aman Funnel Builder by FunnelKit funnel-builder allows DOM-Based XSS.This issue affects Funnel Builder by FunnelKit: from n/a through = 3.13.1.2...

EUVD-2025-198104

The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wfopphone shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied default...

CVE-2025-12878 FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode

The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wfopphone shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied default...

CVE-2025-12878

The FunnelKit – Funnel Builder for WooCommerce Checkout WordPress plugin is affected by a stored XSS via the wfop_phone shortcode, in all versions up to and including 3.13.1.2. Exploitation requires authenticated access at Contributor+ level, due to insufficient input sanitization and output esca...

WordPress FunnelKit plugin < 3.12.0.1 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Marc Montpas in WordPress Plugin Funnel Builder by FunnelKit versions 3.12.0.1...

CVE-2025-10567

The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users...

CVE-2025-10567

The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users...

CVE-2025-10567

CVE-2025-10567 : FunnelKit Funnel Builder for WooCommerce Checkout (WordPress plugin) before 3.12.0.1 is vulnerable to reflected XSS in checkout-related AJAX actions due to unsanitized user input echoed back to responses. The issue affects logged-in users and is documented across multiple sources...

CVE-2025-10567 FunnelKit < 3.12.0.1 - Reflected XSS

The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users...

PT-2025-45080

Name of the Vulnerable Software and Affected Versions FunnelKit WordPress plugin versions prior to 3.12.0.1 Description The software does not properly sanitize user-provided data before displaying it in certain checkout-related AJAX operations. This can allow attackers to execute reflected...