CVE-2026-12979 in FunnelKit Plugin
Summary
by MITRE • 07/16/2026
The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in FunnelKit WordPress plugin versions prior to 3.15.0.6 represents a critical path traversal flaw that enables authenticated administrators to execute unauthorized file deletion operations beyond the intended scope of template import functionality. This security weakness stems from inadequate input validation during the template import process where user-supplied paths are not properly sanitized or validated before being processed for file operations.
The technical implementation of this vulnerability resides in the plugin's handling of file paths during template import operations, where the system fails to implement proper path normalization and validation mechanisms. When administrators attempt to import templates, the system accepts user-provided paths without sufficient sanitization, allowing malicious actors with administrative privileges to manipulate these paths using directory traversal sequences such as ../ or ..\. This flaw directly maps to CWE-22 Path Traversal vulnerability classification, which is categorized under the broader category of input validation weaknesses in software security.
The operational impact of this vulnerability extends beyond simple file deletion capabilities and can result in significant service disruption for WordPress installations utilizing FunnelKit. An attacker with administrator access could potentially target critical configuration files, plugin data files, or other system resources that are stored outside the intended template import directory structure. This capability enables a form of denial of service attack where legitimate plugin functionality becomes compromised through strategic deletion of essential JSON files required for proper plugin operation.
The security implications of this vulnerability are particularly concerning given that it requires only administrator-level privileges to exploit, which represents a significant risk in environments where administrative accounts may be compromised or where privilege escalation attacks are possible. The flaw essentially transforms a legitimate administrative function into a vector for arbitrary file deletion, undermining the principle of least privilege and potentially allowing attackers to disrupt business operations through targeted file removal.
Mitigation strategies for this vulnerability should include immediate upgrade to FunnelKit plugin version 3.15.0.6 or later, which implements proper input validation and path sanitization measures. Organizations should also implement additional security controls such as restricting administrative access to only necessary personnel, implementing robust monitoring of file system operations, and conducting regular security audits of installed WordPress plugins. The remediation process should include comprehensive testing to ensure that the patch does not introduce regressions in legitimate plugin functionality while maintaining proper path validation mechanisms.
This vulnerability demonstrates the importance of implementing proper input validation and access control measures in web applications, particularly in administrative interfaces where elevated privileges can be weaponized for destructive operations. From an ATT&CK framework perspective, this represents a privilege escalation technique that leverages path traversal to achieve unauthorized file system access, potentially enabling further attack progression through the compromise of critical system resources or data files. Organizations should consider implementing automated security scanning tools that can identify similar path traversal vulnerabilities in their WordPress installations and other web applications to prevent exploitation of similar weaknesses.