WordPress Plugin Vulnerabilities

FunnelKit < 3.15.0.6 - Reflected XSS via Divi Optin Form

Description

The plugin does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi theme/builder is active.

Proof of Concept

Affects Plugins

Fixed in 3.15.0.6

References

Classification

Type
XSS
CWE
CVSS

Miscellaneous

Original Researcher
Meher Sudhakar Abbireddi
Submitter
Meher Sudhakar Abbireddi
Verified
Yes

Timeline

Publicly Published
2026-06-25 (about 21 days ago)
Added
2026-06-25 (about 20 days ago)
Last Updated
2026-06-25 (about 20 days ago)

Other