How is CVE-2026-49778 exploited?

Network reachability (required): The attacker must reach the vulnerable WordPress site over the network; the service must be exposed to the attacker's origin. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party. Victim interaction (required): A victim must follow a crafted link or visit a malicious page, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions or race-condition requirements on the attacker.

What is the impact of CVE-2026-49778?

An attacker can inject JavaScript that runs in the victim's browser session and reads stored session cookies or authentication tokens, enabling account takeover. Injected scripts can silently modify visible page content, redirect the victim to a phishing site, or perform actions on the WordPress admin panel on the victim's behalf. With a scope change confirmed in the CVSS vector, the impact escapes the plugin's own context and can affect the broader WordPress application and any co-hosted resources the victim's browser session can reach. The availability impact allows the attacker to degrade or disrupt the victim's interaction with the affected WordPress site through browser-side denial of service techniques.

Back to search

HIGHCVE-2026-49778Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49778: WordPress WPFunnels Pro plugin <= 2.9.4 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-49778?

A reflected or stored cross-site scripting (XSS) vulnerability exists in the WPFunnels Pro WordPress plugin at version 2.9.4 and earlier. The vulnerability is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page. Successful exploitation lets an attacker inject and run arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and denial of service against the affected WordPress site. HarborGuard is tracking this advisory for patch availability, as no fix version has been published yet.

Q: Is CVE-2026-49778 patched?

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the WPFunnels maintainers. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability exists in the WPFunnels Pro WordPress plugin at version 2.9.4 and earlier. The vulnerability is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page. Successful exploitation lets an attacker inject and run arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and denial of service against the affected WordPress site. HarborGuard is tracking this advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-49778 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images containing the WPFunnels Pro plugin, including custom-built WordPress images. Coverage extends to images in both connected registries and CI/CD pipeline stages.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.1 (HIGH), with per-environment compliance policy weighting applied to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the WPFunnels maintainers. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable WordPress site over the network; the service must be exposed to the attacker's origin.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party.
Victim interactionRequired
A victim must follow a crafted link or visit a malicious page, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions or race-condition requirements on the attacker.

Blast Radius

An attacker can inject JavaScript that runs in the victim's browser session and reads stored session cookies or authentication tokens, enabling account takeover.
Injected scripts can silently modify visible page content, redirect the victim to a phishing site, or perform actions on the WordPress admin panel on the victim's behalf.
With a scope change confirmed in the CVSS vector, the impact escapes the plugin's own context and can affect the broader WordPress application and any co-hosted resources the victim's browser session can reach.
The availability impact allows the attacker to degrade or disrupt the victim's interaction with the affected WordPress site through browser-side denial of service techniques.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-49778, HarborGuard monitors the Patchstack advisory and upstream WPFunnels release channels on every ingest cycle. When an upstream patch is published, a patched-image rebuild will become available immediately; for customers who opt into auto-remediation, that triggers a full rebuild, regression-test run, and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include applying a web application firewall rule to filter reflected XSS payloads at the WordPress entry point, restricting network-policy egress from containers running WordPress to limit the blast radius of injected scripts, and disabling or removing the WPFunnels Pro plugin if its funnel features are not in active use. Customers whose compliance policy requires a severity threshold response for HIGH findings can configure HarborGuard to escalate this finding immediately for manual review.

See how HarborGuard automates this

Affected packages

WPFunnels / WPFunnels Pro
≤ 2.9.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified