CVE-2025-26979
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites running FunnelKit Funnel Builder plugin versions up to 3.9.0, potentially leading to sensitive information disclosure or code execution.
💻 Affected Systems
- Funnel Builder by FunnelKit (WordPress plugin)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and website defacement.
Likely Case
Local file inclusion allowing sensitive file reading (configuration files, credentials) and limited code execution.
If Mitigated
Limited impact if proper file permissions and web server configurations restrict file access.
🎯 Exploit Status
Exploitation requires specific conditions and knowledge of target environment. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.9.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Funnel Builder by FunnelKit'
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove plugin until patch is released
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate Funnel Builder plugin until patched version is available
Restrict PHP file inclusion
allConfigure PHP to disable allow_url_include and restrict open_basedir
php.ini: allow_url_include = Off
php.ini: open_basedir = /var/www/html
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file inclusion patterns
- Restrict file permissions and implement strict access controls on sensitive directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Funnel Builder by FunnelKit version. If version is 3.9.0 or earlier, you are vulnerable.Check Version:
wp plugin list --name=funnel-builder --field=versionVerify Fix Applied:
Verify plugin version is higher than 3.9.0 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in PHP error logs
- Multiple include/require attempts with suspicious file paths
- HTTP requests containing '../' or similar path traversal patterns
Network Indicators:
- HTTP requests with file inclusion parameters
- Unusual POST/GET requests to plugin endpoints
SIEM Query:
source="web_server_logs" AND (uri="*funnel-builder*" AND (param="*include*" OR param="*require*" OR uri="*../*"))