The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).
Metrics
Affected Vendors & Products
References
History
Thu, 16 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-73 | |
| Metrics |
cvssV3_1
|
Thu, 16 Jul 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service). | |
| Title | FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer | |
| References |
|
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-16T12:40:57.577Z
Reserved: 2026-06-23T10:56:14.346Z
Link: CVE-2026-12979
Updated: 2026-07-16T12:40:39.475Z
No data.
No data.
OpenCVE Enrichment
No data.