PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12978 FunnelKit CVE debrief

The FunnelKit WordPress plugin before 3.15.0.6 has a Reflected Cross-Site Scripting vulnerability. The plugin does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions. This allows unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active. Administrators and users should be aware of this vulnerability and take necessary actions to protect their sites.

Vendor
FunnelKit
Product
FunnelKit WordPress plugin
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators and users of the FunnelKit WordPress plugin, especially those using version before 3.15.0.6, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating the plugin to the latest version, restricting access to the affected AJAX action, and implementing Content Security Policy (CSP) to mitigate XSS attacks.

Technical summary

The FunnelKit WordPress plugin before 3.15.0.6 does not properly escape user-supplied input in one of its AJAX actions. This allows unauthenticated attackers to inject malicious scripts into the HTML response, potentially leading to Reflected Cross-Site Scripting attacks against logged-in users. The affected action is only registered when the Divi /builder is active. The plugin's failure to escape user-supplied input creates a vulnerability that can be exploited by attackers to inject malicious scripts.

Defensive priority

High

Recommended defensive actions

  • Update the FunnelKit WordPress plugin to version 3.15.0.6 or later.
  • Restrict access to the affected AJAX action.
  • Implement Content Security Policy (CSP) to mitigate XSS attacks.
  • Monitor for suspicious activity on the site.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

Evidence is limited. The CVE record and NVD entry provide basic information about the vulnerability. Further details are available from the WPScan reference. Defenders should verify the affected plugin version and configurations, review logs for suspicious activity, and monitor for potential exploitation attempts. The CVE record was published on 2026-07-16T07:16:47.577Z and has not been modified since then. Limited evidence suggests that the vulnerability is exploitable in certain configurations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T07:16:47.577Z and has not been modified since then.