Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection.

This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5.
Published: 2026-06-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of special characters in SQL statements, allowing an attacker to inject malicious code. This can result in blind SQL injection where the attacker can read, modify, or delete database data, potentially compromising the confidentiality and integrity of the site and its users. The weakness is identified as CWE-89.

Affected Systems

WordPress Funnel Builder by FunnelKit plugin versions up to and including 3.15.0.5 are affected. This includes all installations that have not yet upgraded beyond 3.15.0.5. The issue applies to the plugin’s handling of user input within its funnel creation and editing interfaces.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity. The exploit probability (EPSS) is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation yet. Based on the description, it is inferred that the vulnerability is accessible over the network through the plugin’s exposed endpoints, making the likely attack vector remote exploitation that requires user interaction to supply crafted input. An attacker could exploit the blind nature of the injection to iteratively discover database structure and exfiltrate data.

Generated by OpenCVE AI on June 24, 2026 at 13:35 UTC.

Remediation

Vendor Solution

Update the WordPress Funnel Builder by FunnelKit Plugin to the latest available version (at least 3.15.0.6).


OpenCVE Recommended Actions

  • Update the WordPress Funnel Builder by FunnelKit Plugin to version 3.15.0.6 or later.
  • Restrict access to the funnel builder features to trusted administrative users only.
  • Review the database for unexpected changes or schema modifications that could indicate a prior exploitation.

Generated by OpenCVE AI on June 24, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Funnelkit
Funnelkit funnel Builder By Funnelkit
Wordpress
Wordpress wordpress
Vendors & Products Funnelkit
Funnelkit funnel Builder By Funnelkit
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection. This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5.
Title WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Funnelkit Funnel Builder By Funnelkit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-24T12:22:06.373Z

Reserved: 2026-06-18T14:37:51.351Z

Link: CVE-2026-56052

cve-icon Vulnrichment

Updated: 2026-06-24T12:22:02.702Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:45:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')