Vulnerabilities and security researches forwpfunnels wpfunnels

Dec 10, 2025

CVE, Research URL: CVE-2025-12353
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: Nov 08, 2025
Research Description: The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.
Affected versions: max 3.6.3.
Status: vulnerable

CVE, Research URL: CVE-2025-12000
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: Nov 08, 2025
Research Description: The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions: max 3.6.3.
Status: vulnerable

Aug 06, 2025

CVE, Research URL: CVE-2025-54696
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: Aug 14, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFunnels WPFunnels allows Stored XSS. This issue affects WPFunnels: from n/a through 3.5.26.
Affected versions: max 3.5.27.
Status: vulnerable

May 16, 2025

CVE, Research URL: CVE-2025-47530
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: May 23, 2025
Research Description: Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels allows Object Injection. This issue affects WPFunnels: from n/a through 3.5.18.
Affected versions: max 3.5.19.
Status: vulnerable

Nov 22, 2024

CVE, Research URL: CVE-2024-10792
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: -
Research Description: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels [wpfunnels] < 3.5.6 CVE-2024-10792
Affected versions: max 3.5.6.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2023-0173
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: Feb 07, 2023
Research Description: The Drag & Drop Sales Funnel Builder for WordPress plugin before 2.6.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: max 2.7.17.
Status: vulnerable

CVE, Research URL: CVE-2024-27965
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: Mar 21, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFunnels Team WPFunnels allows Stored XSS.This issue affects WPFunnels: from n/a through 3.0.6.
Affected versions: max 3.0.7.
Status: vulnerable

CVE, Research URL: CVE-2023-37977
Home page URL: Security reports for Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Application: Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels
Date: Jul 27, 2023
Research Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFunnels Team Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin <= 2.7.16 versions.
Affected versions: max 2.7.17.
Status: vulnerable