CVE-2026-12978 in FunnelKit Plugin
Summary
by MITRE • 07/16/2026
The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The FunnelKit WordPress plugin vulnerability represents a critical reflected cross-site scripting flaw that affects versions prior to 3.15.0.6. This security weakness stems from insufficient input validation and output escaping mechanisms within the plugin's page-builder AJAX functionality. The vulnerability specifically manifests when the Divi builder is active, as the affected AJAX action is only registered under these conditions, creating a targeted attack surface that requires specific environmental prerequisites for exploitation.
The technical flaw resides in the improper handling of user-supplied parameters within the plugin's AJAX response generation process. When an attacker crafts a malicious URL containing crafted script payloads and convinces a logged-in user to visit the page, the plugin fails to properly escape the reflected parameter before incorporating it into the HTML response. This allows malicious scripts to execute within the context of the victim's browser session, potentially compromising the user's authentication state and access privileges.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform session hijacking, credential theft, and privilege escalation attacks against authenticated users. The reflected nature of the XSS means that attackers do not need persistent access to the affected system or database to exploit the vulnerability. Instead, they can deliver payloads through malicious links, social engineering campaigns, or compromised websites. The requirement for the Divi builder to be active limits the attack scope but does not eliminate the risk, as many WordPress installations utilize this popular page builder.
This vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws and maps to ATT&CK technique T1566.001 for initial access through spearphishing attachments or links. The lack of proper output escaping in the AJAX response handling represents a fundamental security oversight that violates secure coding practices recommended by OWASP and NIST guidelines for preventing XSS vulnerabilities. Organizations using FunnelKit plugin versions prior to 3.15.0.6 should immediately implement mitigation strategies including plugin updates, input validation enforcement, and monitoring for suspicious user activity.
Mitigation approaches include updating to the patched version 3.15.0.6 or later, implementing proper parameter sanitization in the plugin's AJAX handlers, and deploying web application firewalls that can detect and block malicious script payloads. Administrators should also consider implementing Content Security Policy headers and monitoring for unusual AJAX request patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of secure coding practices in WordPress plugins and highlights how seemingly minor input validation gaps can create significant security risks for authenticated users.