How is CVE-2026-42381 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS to send a malicious request. Authentication (not-required): No account or session credential of any privilege level is needed; the injection is reachable by any anonymous HTTP request. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator of the WordPress site. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions beyond reaching the service.

What is the impact of CVE-2026-42381?

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data. The scope impact is marked Changed (S:C), meaning the injected query can reach data beyond the plugin's own tables, potentially exposing data owned by other WordPress plugins or the core application. Service availability is partially degraded; heavy or repeated injection queries can slow or briefly interrupt database responsiveness for legitimate users.

Back to search

CRITICALCVE-2026-42381Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42381: WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability

Q: What is CVE-2026-42381?

An unauthenticated SQL injection vulnerability affects the Funnel Builder by FunnelKit WordPress plugin at version 3.15.0.1 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, and carries a CVSS score of 9.3 (Critical). Successful exploitation gives an attacker direct read access to the WordPress database and causes limited availability impact to the service. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment an upstream fix is released.

Q: Is CVE-2026-42381 patched?

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the Funnel Builder by FunnelKit WordPress plugin at version 3.15.0.1 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, and carries a CVSS score of 9.3 (Critical). Successful exploitation gives an attacker direct read access to the WordPress database and causes limited availability impact to the service. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the FunnelKit plugin. Any image containing an affected version of the plugin is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 Critical and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS to send a malicious request.
AuthenticationNot required
No account or session credential of any privilege level is needed; the injection is reachable by any anonymous HTTP request.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator of the WordPress site.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions beyond reaching the service.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data.
The scope impact is marked Changed (S:C), meaning the injected query can reach data beyond the plugin's own tables, potentially exposing data owned by other WordPress plugins or the core application.
Service availability is partially degraded; heavy or repeated injection queries can slow or briefly interrupt database responsiveness for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-42381, the platform monitors the Patchstack advisory and the FunnelKit release feed on every ingest cycle. The moment a remediated version is published, a patched-image rebuild becomes available, and for customers who have opted into auto-remediation, a rebuilt image, regression test run, and PR against affected workloads are triggered automatically. In the meantime, HarborGuard surfaces the finding to the team inboxes configured for Critical-severity issues, allowing teams to apply compensating controls: network-policy rules that restrict public access to affected WordPress endpoints, web-application firewall rules targeting SQL injection patterns on FunnelKit routes, and feature-flag or plugin-deactivation options where business impact permits. Where compliance policy requires suppression acknowledgment, the finding can be annotated with a compensating-control justification directly in the HarborGuard dashboard until an upstream fix is available.

See how HarborGuard automates this

Affected packages

FunnelKit / Funnel Builder by FunnelKit
≤ 3.15.0.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified