CVE-2026-48966

Vulnerability

An unauthenticated Cross-Site Scripting (XSS) vulnerability exists in the Funnel Builder plugin by FunnelKit for WordPress, affecting versions up to and including 3.15.0.2. The flaw allows attackers to inject arbitrary web scripts or HTML into pages generated by the plugin without requiring authentication. The vulnerability is present in the plugin's handling of certain input fields which are not properly sanitized before output [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or form submission containing a JavaScript payload. No prior authentication is required, but successful exploitation does require a privileged user (such as an administrator) to perform an action—such as clicking a malicious link, visiting a crafted page, or submitting a form—which triggers the execution of the injected script [1]. This user interaction is typically achieved through social engineering.

Impact

If successfully exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser. Impacts include redirection to malicious sites, injection of advertisements, theft of session cookies, or other actions that can compromise the integrity and confidentiality of the WordPress site and its visitors [1]. The vulnerability is rated with a CVSS v3 score of 7.1 (High) and is expected to be used in mass-exploit campaigns [1].

Mitigation

The vulnerability is fixed in version 3.15.0.3 of the Funnel Builder plugin. Users are strongly advised to update to this version or later immediately. Patchstack provides a mitigation rule to block attacks until the update is applied. For users unable to update promptly, it is recommended to contact the hosting provider or a web developer for assistance. There is no mention of this CVE on the CISA KEV list [1].