PatchSiren

FunnelKit CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM FunnelKit CVE published 2026-06-26

CVE-2026-57635

A medium severity Unauthenticated Cross Site Request Forgery (CSRF) vulnerability was discovered in the FunnelKit Payment Gateway for Stripe WooCommerce plugin, affecting versions up to 1.14.0.3. The vulnerability, tracked as CVE-2026-57635, has a CVSS score of 6.5. The issue was publicly disclosed on June 26, 2026, and the CVE record was last modified on June 29, 2026. The vulnerability allows an attacke [truncated]

HIGH FunnelKit CVE published 2026-06-15

CVE-2026-48966

CVE-2026-48966 is a HIGH severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Funnel Builder by FunnelKit versions <= 3.15.0.2. The vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt]. The CVSS score is 7.1.

CRITICAL FunnelKit CVE published 2026-06-15

CVE-2026-42381

CVE-2026-42381 is a critical unauthenticated SQL injection vulnerability in Funnel Builder by FunnelKit versions <= 3.15.0.1. The vulnerability has a CVSS score of 9.3 and is considered critical. It was published on 2026-06-15T21:16:53.990Z and modified on 2026-06-15T21:24:32.790Z.

HIGH FunnelKit CVE published 2026-05-19

CVE-2026-47100

CVE-2026-47100 describes a missing-authorization flaw in Funnel Builder for WooCommerce Checkout versions before 3.15.0.3. An unauthenticated attacker can invoke internal methods through the public checkout endpoint and write arbitrary data to the plugin’s External Scripts global setting, creating a path to JavaScript injection on checkout pages.