CVE-2026-57635 FunnelKit CVE debrief

Who should care

Administrators and users of the FunnelKit Payment Gateway for Stripe WooCommerce plugin, especially those using versions up to 1.14.0.3, should be aware of this vulnerability and take necessary actions to mitigate the risk. This vulnerability can be exploited by an attacker to perform unauthorized actions on the affected system.

Technical summary

The CVE-2026-57635 vulnerability is a CSRF issue in the FunnelKit Payment Gateway for Stripe WooCommerce plugin. The plugin, used for payment processing in WooCommerce, does not properly validate requests, allowing an attacker to trick users into performing unintended actions. The vulnerability has a CVSS score of 6.5, indicating a medium severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating that the vulnerability can be exploited over the network with low attack complexity and no privileges required.

Defensive priority

Defenders should prioritize patching the FunnelKit Payment Gateway for Stripe WooCommerce plugin to prevent exploitation of this CSRF vulnerability. Updating to a patched version of the plugin will mitigate the risk of unauthorized actions being performed on the affected system.

Recommended defensive actions

• Update the FunnelKit Payment Gateway for Stripe WooCommerce plugin to a patched version.
• Review and monitor the affected system for any suspicious activity.
• Implement additional security measures, such as validating user requests and restricting access to sensitive areas of the system.

Evidence notes

The CVE-2026-57635 vulnerability was publicly disclosed on June 26, 2026, and the CVE record was last modified on June 29, 2026. The vulnerability was reported by Patchstack, and the affected plugin is used for payment processing in WooCommerce. The CVSS score and vector were provided by the NVD.

Official resources