CVE-2026-49778 WPFunnels CVE debrief

Who should care

WordPress administrators using WPFunnels Pro versions up to 2.9.4 should be aware of this vulnerability and take immediate action to protect their sites. Security teams and IT professionals responsible for managing WordPress installations should prioritize patching this vulnerability.

Technical summary

CVE-2026-49778 is an Unauthenticated Cross Site Scripting (XSS) vulnerability in WPFunnels Pro versions up to 2.9.4. The vulnerability has a CVSS score of 7.1 and is considered HIGH. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This vulnerability allows attackers to inject malicious scripts into web pages without requiring authentication, potentially leading to unauthorized actions or data breaches.

Defensive priority

High

Recommended defensive actions

• Update WPFunnels Pro to a patched version (if available) immediately.
• Implement a Web Application Firewall (WAF) to detect and prevent XSS attacks.
• Regularly monitor WordPress installations for updates and security patches.
• Use a security plugin to scan for vulnerabilities and monitor site integrity.
• Limit user privileges and access to sensitive areas of the WordPress site.
• Educate users about the risks of XSS attacks and the importance of keeping software up-to-date.
• Consider implementing a Content Security Policy (CSP) to mitigate XSS attacks.

Evidence notes

The vulnerability was reported by Patchstack and is documented in the CVE record. The CVE was published on 2026-06-17T13:20:46.830Z and last modified on 2026-06-17T17:17:23.307Z. The CVSS score and vector were provided by the NVD.

Official resources