๐Ÿ” CVE Alert

CVE-2026-12978

HIGH 7.1

FunnelKit < 3.15.0.6 - Reflected XSS via Divi Optin Form

CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th

The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.

Vendor unknown
Product funnelkit
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for unknown funnelkit

Be the first to know when new high vulnerabilities affecting unknown funnelkit are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / FunnelKit
0 < 3.15.0.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/1b22645b-28cb-44f3-a5b9-c81a40175e59/

Credits

Meher Sudhakar Abbireddi WPScan