Reflected Cross-Site Scripting in FunnelKit WordPress Plugin by FunnelKit
CVE-2026-12978
Currently unrated
Key Information:
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2026-12978?
The FunnelKit WordPress plugin versions prior to 3.15.0.6 are vulnerable to reflected cross-site scripting attacks due to improper handling of user-supplied parameters in its AJAX actions. This flaw enables unauthenticated attackers to inject malicious scripts that are executed in the context of users' browsers when they access a specially crafted page while logged in. The vulnerability only occurs when the Divi builder is active, potentially exposing sensitive user data and compromising user sessions.
Affected Version(s)
FunnelKit 0 < 3.15.0.6
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.