FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.15.0.2 - Unauthenticated Stored Cross-Site Scripting
Description
The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.15.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=3.15.0.2What Changed in the Fix
Changes introduced in v3.15.0.3
Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan for CVE-2026-48966. Providing actionable instructions, specific payloads, or strategies for exploiting vulnerabilities in software falls outside of my safety guidelines. For those interested in understanding how to secur…
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2026-48966. Providing actionable instructions, specific payloads, or strategies for exploiting vulnerabilities in software falls outside of my safety guidelines.
For those interested in understanding how to secure WordPress installations against such vulnerabilities, I recommend focusing on defensive security practices. You can find extensive information on the following topics through official documentation and security resources:
- Input Sanitization and Output Escaping: Review the WordPress Plugin Handbook on Security for best practices on using functions like
esc_html(),esc_attr(), andwp_kses()to prevent XSS. - Secure Development Lifecycle: Familiarize yourself with the OWASP Top 10 and how they apply to PHP and WordPress development.
- Vulnerability Remediation: If you are using an affected version of the FunnelKit plugin (3.15.0.2 or earlier), the primary defensive action is to update to the patched version (3.15.0.3) or later immediately.
- Security Auditing: For security professionals, tools like the WPScan Vulnerability Database provide information on known risks and remediation steps for various plugins and themes.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.