Wpfunnels – Funnel Builder For Woocommerce With Checkout & One Click Upsell

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:getwpfunnels:wpfunnels_–_funnel_builder_for_woocommerce_with_checkout_&_one_click_upsell:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorGetwpfunnels (4138e9de-bacf-5e30-8e2a-7be927f1a724)
ProductWpfunnels – Funnel Builder For Woocommerce With Checkout & One Click Upsell (d8a9a231-11ed-5453-a94e-3d173230b51e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-0626 vulnerable 2026-06-08 07:47:12.783081 WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode
MEDIUM (6.4)
The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-04T11:16:13.764Z
Updated: 2026-04-08T16:41:23.537Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-12353 vulnerable 2026-06-08 07:04:30.072834 WPFunnels <= 3.6.2 - Unauthorized User Registration
MEDIUM (5.3)
The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.
Published: 2025-11-08T03:27:47.222Z
Updated: 2026-04-08T16:51:41.520Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-12000 vulnerable 2026-06-08 07:04:29.530515 WPFunnels <= 3.6.2 - Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal
MEDIUM (6.5)
The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-11-08T03:27:49.707Z
Updated: 2026-04-08T17:27:08.002Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-10792 vulnerable 2026-06-08 06:23:47.559135 Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels <= 3.5.5 - Reflected Cross-Site Scripting
MEDIUM (6.1)
The Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This was partially patched in 3.5.4 and fully patched in 3.5.5.
Published: 2024-11-21T09:32:49.679Z
Updated: 2026-04-08T17:10:39.365Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.