CVE-2026-49778
Deferred Deferred - Pending Action
Unauthenticated XSS in WPFunnels Pro

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-49778
EUVD
EUVD-2026-37624
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpfunnels pro to 2.9.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress WPFunnels Pro Plugin, specifically versions 2.9.4 and earlier, is vulnerable to a Cross Site Scripting (XSS) attack. This vulnerability allows attackers to inject malicious scripts, such as redirects or advertisements, which execute when visitors access the site.

Successful exploitation requires a privileged user to interact with a malicious link, crafted page, or form submission.

It has a medium priority with a CVSS severity score of 7.1, indicating it is moderately dangerous and could be exploited in mass campaigns targeting numerous websites.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website visitors' browsers. These scripts could perform unwanted actions such as redirects to malicious sites or displaying unauthorized advertisements.

Because the attack requires a privileged user to interact with a malicious element, it can lead to compromised user sessions or unauthorized actions within your site.

The vulnerability's moderate severity means it could be used in widespread attacks affecting many websites, potentially damaging your site's reputation and user trust.

The recommended mitigation is to update the plugin to version 2.9.5 or later or apply provided mitigation rules to block attacks until the update is applied.

Detection Guidance

This vulnerability involves Cross Site Scripting (XSS) in the WPFunnels Pro WordPress plugin versions 2.9.4 and earlier. Detection typically involves monitoring for suspicious script injections or unusual redirects triggered by malicious links or form submissions targeting the plugin.

While no specific commands are provided, you can detect attempts by inspecting web server logs for unusual query parameters or payloads containing script tags or suspicious JavaScript code targeting WPFunnels Pro endpoints.

Additionally, using web vulnerability scanners that test for XSS vulnerabilities on the affected plugin's pages can help identify if the vulnerability is exploitable on your system.

Mitigation Strategies

The recommended immediate step is to update the WPFunnels Pro plugin to version 2.9.5 or later, where this XSS vulnerability is fixed.

Until the update can be applied, Patchstack has provided a mitigation rule to block attacks exploiting this vulnerability. Implementing this mitigation rule can help protect your site temporarily.

Also, monitor and restrict privileged user interactions with untrusted links or forms to reduce the risk of exploitation.

Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in WPFunnels Pro affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart