Impact
Unauthenticated Cross‑Site Scripting (XSS) (CWE‑79) is present in Funnel Builder by FunnelKit versions up to 3.15.0.2. The flaw allows an attacker to inject arbitrary script into the page that is rendered for any user visiting the affected site. This can enable malicious code execution in the victim’s browser but the impact in the official description is limited to the XSS vulnerability itself.
Affected Systems
The vulnerability affects WordPress sites that have installed Funnel Builder by FunnelKit version 3.15.0.2 or older. Sites that do not yet apply the available patch remain exposed.
Risk and Exploitability
The CVSS base score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is unauthenticated exploitation of user‑controllable input processed by the plugin, such as through a crafted request or malicious link – this is inferred from the description of the unauthenticated nature of the flaw.
OpenCVE Enrichment