An injection flaw exists due to improper handling of special characters in SQL statements crafted by the Funnel Builder by FunnelKit plugin. The weakness allows any user with access to the plugin’s input fields to embed additional SQL clauses, potentially enabling unauthorized data retrieval, modification, or deletion from the WordPress database. The consequence is a breach of confidentiality, integrity, and availability of site data, aligned with CWE‑89.

WordPress installations that include Aman’s Funnel Builder by FunnelKit plugin up to version 3.10.2 are affected. All earlier releases that employ this plugin layer in the 1.x series are also susceptible. Sites running the plugin beyond 3.10.2 have this issue fixed under the vendor’s latest release schedule. The vulnerable modules are embedded within the plugin’s form rendering components and administrative configuration screens.

The vulnerability carries a CVSS score of 7.6, indicating high severity. The EPSS score is under 1 % and the advisement has not yet been listed in the CISA KEV catalog, suggesting limited current exploitation activity. Nevertheless, the attack vector is likely through web input provided to the plugin: a malicious actor could craft payloads via front‑end forms or the WordPress admin interface if the site is not properly secured. Successful exploitation would allow the attacker to execute arbitrary SQL statements against the site’s database, leading to data theft or site compromise.