๐Ÿ” CVE Alert

CVE-2026-12979

MEDIUM 5.5

FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer

CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th

The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).

Vendor unknown
Product funnelkit
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for unknown funnelkit

Be the first to know when new medium vulnerabilities affecting unknown funnelkit are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / FunnelKit
0 < 3.15.0.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/d81ca171-65eb-484d-917f-f41b0cd20351/

Credits

Meher Sudhakar Abbireddi WPScan