Threat Entry Updated 2025-11-12

CVE-2025-12000 - Wpfunnels Plugin

The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Wpfunnels

CVE-2025-12000

MEDIUM CVSS 6.5 2025-11-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-10792 - Wpfunnels Plugin

The Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This was partially patched in 3.5.4 and fully patched in 3.5.5.

PLUGIN Wpfunnels

CVE-2024-10792

MEDIUM CVSS 6.1 2024-11-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-19

CVE-2023-37977 - Wpfunnels Plugin

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFunnels Team Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin

PLUGIN Wpfunnels

CVE-2023-37977

HIGH CVSS 7.1 2023-07-27

Risk Score

Open Full Technical Breakdown