Unauthenticated Cross Site Scripting Vulnerability in WPFunnels Pro Plugin
CVE-2026-49778

7.1HIGH

Key Information:

Vendor: WordPress
Status: WPfunnels Pro
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-49778?

The WPFunnels Pro plugin versions up to 2.9.4 are susceptible to an unauthenticated Cross Site Scripting (XSS) vulnerability. This flaw allows attackers to execute arbitrary JavaScript code in the context of a user's session, potentially leading to data theft or unauthorized actions on behalf of the user. Administrators of affected sites should promptly update to secure versions to mitigate these risks.

Affected Version(s)

WPFunnels Pro <= 2.9.4

References

https://patchstack.com/database/wordpress/plugin/wpfunnel...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

dutafi | Patchstack Bug Bounty Program

CVE-2026-49778 Data

JSON