FunnelKit Funnel Builder for WooCommerce Checkout
by Funnelkit
Source repositories
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-7654 | Hig | 0.57 | 8.8 | 0.01 | Aug 19, 2025 | Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site… | ||
| CVE-2025-14169 | Hig | 0.49 | 7.5 | 0.00 | Dec 12, 2025 | The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient… | ||
| CVE-2026-47100 | Hig | 0.42 | 7.5 | 0.00 | May 19, 2026 | Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting.… | ||
| CVE-2025-12878 | Med | 0.35 | 6.4 | 0.00 | Nov 19, 2025 | The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the… |
- risk 0.57cvss 8.8epss 0.01
Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site…
- risk 0.49cvss 7.5epss 0.00
The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient…
- risk 0.42cvss 7.5epss 0.00
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting.…
- risk 0.35cvss 6.4epss 0.00
The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the…