External risk intelligence

Funnel Builder by FunnelKit SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-42381

An unauthenticated SQL injection vulnerability exists in Funnel Builder by FunnelKit, potentially allowing unauthorized access to sensitive data. This issue affects public-facing web applications where the plugin processes user interactions. Confirming relevance and exposure is key to understanding the business impact.

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-42381

The vulnerability exists in a WordPress plugin designed for building marketing funnels. Such plugins are typically installed on public-facing web servers to process user interactions and lead generation forms, making the affected interface reachable from the internet as part of normal web application functionality.

PCI scan relevance

PCI Relevance for CVE-2026-42381

Yes

CVE-2026-42381 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability is critical for PCI compliance. Exploitation could allow attackers to steal sensitive customer payment data from the database. PCI DSS Requirement 6.5.1 specifically mandates protection against injection flaws like SQL injection.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability involves an unauthenticated SQL injection flaw within the Funnel Builder by FunnelKit technology, which could allow unauthorized access to data or disruption of services. The main concern is confirming relevance and exposure, as the technology is designed for public-facing web servers and processes user interactions.

  • Unauthenticated SQL injection in a funnel builder tool.
  • Critical flaw, external exposure, potential data compromise.
  • Confirm relevance and impact across relevant systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a web application using the affected plugin. This request would target the Funnel Builder component, which is exposed to the network and does not require authentication. Successful exploitation could allow an attacker to manipulate database queries.

  • No authentication needed.
  • Target Funnel Builder's SQL interface.
  • Potential for database compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious SQL code into the Funnel Builder application. When supported by the advisory, this could lead to the disclosure of sensitive information stored within the application's database.

  • Database contents could be exposed.
  • SQL injection through unauthenticated network requests.
  • Unauthorized access to application data.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in Funnel Builder by FunnelKit affects public-facing web applications. Application owners or the platform team responsible for managing WordPress plugins should take the lead, coordinating with the security team to assess exposure and prioritize remediation. The first practical step involves identifying all instances of the affected plugin, confirming their reachability and business criticality, and then planning the necessary actions, potentially involving vendor coordination.

  • Application owners should own the issue.
  • Verify plugin reachability and business impact.
  • Plan vendor-coordinated remediation.

Frequently asked questions

What is the Funnel Builder by FunnelKit plugin?

Funnel Builder by FunnelKit is a WordPress plugin used to design and manage marketing funnels. It enables site administrators to create customized user journeys and lead generation forms directly on their web servers, which process visitor interactions to help businesses track and convert traffic.

What does SQL injection mean for CVE-2026-42381?

This CVE involves a vulnerability classified as CWE-89, or SQL Injection. It occurs when software fails to properly sanitize input before using it in a database query. In this case, an attacker can supply malicious SQL commands through the plugin, potentially causing the database to execute unintended actions or reveal sensitive information it otherwise would not share.

How is this SQL injection triggered?

The vulnerability is triggered when an attacker sends a specifically crafted network request to the affected Funnel Builder component. Because the component does not require authentication, the request is processed without verifying the user's identity. Legitimate, non-malicious traffic or standard administrative actions within the WordPress dashboard do not trigger this vulnerability.

Is my system vulnerable according to Halo Surface Signal?

Halo Surface Signal identifies this as a likely concern because Funnel Builder is inherently designed for public-facing web servers. Since the plugin's purpose involves processing external user interactions, the affected interface is typically reachable from the internet. Systems where this plugin is active on a public web server are considered exposed.

What should I do if I use this plugin?

Start by identifying all instances of Funnel Builder by FunnelKit running in your environment. Once you have a list of active installations, confirm their reachability and business role. Coordinate with your platform or security teams to track vendor updates and prioritize the necessary remediation steps to secure your application.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished