CVE-2026-12979
FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer
CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th
The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).
| Vendor | unknown |
| Product | funnelkit |
| Published | Jul 16, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown funnelkit
Be the first to know when new medium vulnerabilities affecting unknown funnelkit are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / FunnelKit
0 < 3.15.0.6
References
Credits
Meher Sudhakar Abbireddi WPScan