WordPress Plugin Vulnerabilities

FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer

Description

The plugin does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other plugins or themes (denial of service).

Proof of Concept

Affects Plugins

Fixed in 3.15.0.6

References

Classification

Type
FILE DELETION
CWE

Miscellaneous

Original Researcher
Meher Sudhakar Abbireddi
Submitter
Meher Sudhakar Abbireddi
Verified
Yes

Timeline

Publicly Published
2026-06-25 (about 21 days ago)
Added
2026-06-25 (about 20 days ago)
Last Updated
2026-06-25 (about 20 days ago)

Other