Reflected Cross-Site Scripting in FunnelKit WordPress Plugin by FunnelKit
CVE-2026-12978

Currently unrated

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
16 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-12978?

The FunnelKit WordPress plugin versions prior to 3.15.0.6 are vulnerable to reflected cross-site scripting attacks due to improper handling of user-supplied parameters in its AJAX actions. This flaw enables unauthenticated attackers to inject malicious scripts that are executed in the context of users' browsers when they access a specially crafted page while logged in. The vulnerability only occurs when the Divi builder is active, potentially exposing sensitive user data and compromising user sessions.

Affected Version(s)

FunnelKit 0 < 3.15.0.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Meher Sudhakar Abbireddi
WPScan
.