Impact
The vulnerability arises from improper neutralization of special characters in SQL statements, allowing an attacker to inject malicious code. This can result in blind SQL injection where the attacker can read, modify, or delete database data, potentially compromising the confidentiality and integrity of the site and its users. The weakness is identified as CWE-89.
Affected Systems
WordPress Funnel Builder by FunnelKit plugin versions up to and including 3.15.0.5 are affected. This includes all installations that have not yet upgraded beyond 3.15.0.5. The issue applies to the plugin’s handling of user input within its funnel creation and editing interfaces.
Risk and Exploitability
The CVSS score of 7.6 indicates a high severity. The exploit probability (EPSS) is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation yet. Based on the description, it is inferred that the vulnerability is accessible over the network through the plugin’s exposed endpoints, making the likely attack vector remote exploitation that requires user interaction to supply crafted input. An attacker could exploit the blind nature of the injection to iteratively discover database structure and exfiltrate data.
OpenCVE Enrichment