CVE-2026-12979

medium

Description

The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).

References

https://wpscan.com/vulnerability/d81ca171-65eb-484d-917f-f41b0cd20351/

Details

Source: Mitre, NVD

Published: 2026-07-16

Updated: 2026-07-16

Risk Information

CVSS v2

Base Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L

Severity: Medium

EPSS

EPSS: 0.00139