Description
Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting (XSS) flaw present in the WPFunnels Pro WordPress plugin. The flaw allows an attacker to inject malicious scripts that are rendered in the browser of any user who views a page containing the plugin's interface. Successful exploitation could enable session hijacking, credential theft, defacement, or the execution of arbitrary client-side code. The weakness is a classic input validation issue, as categorized by CWE-79.

Affected Systems

Affected systems are sites running the WPFunnels Pro plugin version 2.9.4 or earlier. The plugin is distributed by WPFunnels and integrates with WordPress. Only the specified product and version range is affected; newer versions are not considered vulnerable.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity, while the EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog. The description notes that the flaw is unauthenticated, so any visitor that can trigger the vulnerable code path can potentially execute their chosen script. As the flaw does not require elevated privileges on the host, the risk of exploitation remains tangible if an attacker can elicit the vulnerable request.

Generated by OpenCVE AI on June 18, 2026 at 12:08 UTC.

Remediation

Vendor Solution

Update the WordPress WPFunnels Pro Plugin to the latest available version (at least 2.9.5).


OpenCVE Recommended Actions

  • Update the WPFunnels Pro plugin to version 2.9.5 or later.
  • If an update cannot be performed immediately, disable or restrict public use of plugin features that accept user input to authenticated administrators only.
  • Implement a browser Content Security Policy header to block execution of inline scripts on the affected pages.

Generated by OpenCVE AI on June 18, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels wpfunnels
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels wpfunnels
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.
Title WordPress WPFunnels Pro plugin <= 2.9.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Getwpfunnels Wpfunnels
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:30:12.313Z

Reserved: 2026-06-01T15:29:19.865Z

Link: CVE-2026-49778

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')