How is CVE-2026-48966 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP/HTTPS service to deliver a malicious payload. Authentication (not-required): No account or credentials of any kind are needed; the vulnerability is exploitable by any unauthenticated visitor. Victim interaction (required): A victim must take an action such as clicking a crafted link or visiting a page containing the injected payload for the JavaScript to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

What is the impact of CVE-2026-48966?

Attacker executes arbitrary JavaScript in the authenticated victim's browser session, enabling theft of session cookies or authentication tokens. Attacker can read or exfiltrate page content visible to the victim, including any sensitive data rendered in the WordPress admin or front-end context. Attacker can modify what the victim sees on the page, such as injecting phishing forms or redirecting the browser to an attacker-controlled site. The CVSS scope is changed (S:C), meaning impact can extend beyond the vulnerable plugin itself to other browser-origin resources the victim has access to.

Back to search

HIGHCVE-2026-48966Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48966: WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.2 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-48966?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Funnel Builder by FunnelKit WordPress plugin, affecting all versions up to and including 3.15.0.2. The flaw is reachable over the network without any login or prior account, but requires a victim to interact with a crafted link or page (for example, by clicking a malicious URL). Successful exploitation lets an attacker inject and execute arbitrary JavaScript in the victim's browser, enabling session hijacking, page content manipulation, or redirection to attacker-controlled sites. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-48966 patched?

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment FunnelKit ships a remediated release. In the interim, customers can apply compensating controls such as network-policy isolation or web application firewall rules through HarborGuard's policy tooling.

Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Funnel Builder by FunnelKit WordPress plugin, affecting all versions up to and including 3.15.0.2. The flaw is reachable over the network without any login or prior account, but requires a victim to interact with a crafted link or page (for example, by clicking a malicious URL). Successful exploitation lets an attacker inject and execute arbitrary JavaScript in the victim's browser, enabling session hijacking, page content manipulation, or redirection to attacker-controlled sites. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-48966 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the FunnelKit plugin. Coverage extends to both registry scans and CI/CD pipeline image checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 HIGH (v3.1) and can weight that score against each customer organization's own compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox within each customer environment based on configured escalation rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment FunnelKit ships a remediated release. In the interim, customers can apply compensating controls such as network-policy isolation or web application firewall rules through HarborGuard's policy tooling.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP/HTTPS service to deliver a malicious payload.
AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is exploitable by any unauthenticated visitor.
Victim interactionRequired
A victim must take an action such as clicking a crafted link or visiting a page containing the injected payload for the JavaScript to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

Attacker executes arbitrary JavaScript in the authenticated victim's browser session, enabling theft of session cookies or authentication tokens.
Attacker can read or exfiltrate page content visible to the victim, including any sensitive data rendered in the WordPress admin or front-end context.
Attacker can modify what the victim sees on the page, such as injecting phishing forms or redirecting the browser to an attacker-controlled site.
The CVSS scope is changed (S:C), meaning impact can extend beyond the vulnerable plugin itself to other browser-origin resources the victim has access to.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged on any scanned image found to contain the FunnelKit plugin at a version at or below 3.15.0.2. Because no upstream fix has been published, HarborGuard monitors the Patchstack advisory and the FunnelKit release feed on every ingest cycle; a patched-image rebuild will become available automatically as soon as a remediated version is released, and customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads without manual intervention. While no patch exists, recommended compensating controls include placing a web application firewall rule in front of affected WordPress instances to sanitize or block the known XSS vector, restricting network-policy egress from containers running the plugin to limit post-exploitation reach, and reviewing whether the FunnelKit plugin can be temporarily disabled on non-essential environments until a fix is available.

See how HarborGuard automates this

Affected packages

FunnelKit / Funnel Builder by FunnelKit
≤ 3.15.0.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified