CVE-2026-12978
FunnelKit < 3.15.0.6 - Reflected XSS via Divi Optin Form
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th
The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.
| Vendor | unknown |
| Product | funnelkit |
| Published | Jul 16, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown funnelkit
Be the first to know when new high vulnerabilities affecting unknown funnelkit are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / FunnelKit
0 < 3.15.0.6
References
Credits
Meher Sudhakar Abbireddi WPScan