{"api_version":"1","generated_at":"2026-07-17T01:46:43+00:00","cve":"CVE-2026-12979","urls":{"html":"https://cve.report/CVE-2026-12979","api":"https://cve.report/api/cve/CVE-2026-12979.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-12979","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-12979"},"summary":{"title":"FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer","description":"The FunnelKit  WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit  WordPress plugin before 3.15.0.6 or  (denial of service).","state":"PUBLISHED","assigner":"WPScan","published_at":"2026-07-16 07:16:47","updated_at":"2026-07-16 13:43:05"},"problem_types":["CWE-73","CWE-73 External Control of File Name or Path","CWE-73 CWE-73 External Control of File Name or Path"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"}}],"references":[{"url":"https://wpscan.com/vulnerability/d81ca171-65eb-484d-917f-f41b0cd20351/","name":"https://wpscan.com/vulnerability/d81ca171-65eb-484d-917f-f41b0cd20351/","refsource":"contact@wpscan.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-12979","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12979","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Unknown","product":"FunnelKit","version":"affected 3.15.0.6 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Meher Sudhakar Abbireddi","lang":"en"},{"source":"CNA","value":"WPScan","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"12979","cve":"CVE-2026-12979","epss":"0.001390000","percentile":"0.037040000","score_date":"2026-07-16","updated_at":"2026-07-17 00:05:19"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-12979","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-16T12:40:53.139979Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"CWE-73 External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-16T12:40:57.577Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"FunnelKit","vendor":"Unknown","versions":[{"lessThan":"3.15.0.6","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Meher Sudhakar Abbireddi"},{"lang":"en","type":"coordinator","value":"WPScan"}],"descriptions":[{"lang":"en","value":"The FunnelKit  WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit  WordPress plugin before 3.15.0.6 or  (denial of service)."}],"problemTypes":[{"descriptions":[{"description":"CWE-73 External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-16T06:00:05.068Z","orgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","shortName":"WPScan"},"references":[{"tags":["exploit","vdb-entry","technical-description"],"url":"https://wpscan.com/vulnerability/d81ca171-65eb-484d-917f-f41b0cd20351/"}],"source":{"discovery":"EXTERNAL"},"title":"FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer","x_generator":{"engine":"WPScan CVE Generator"}}},"cveMetadata":{"assignerOrgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","assignerShortName":"WPScan","cveId":"CVE-2026-12979","datePublished":"2026-07-16T06:00:05.068Z","dateReserved":"2026-06-23T10:56:14.346Z","dateUpdated":"2026-07-16T12:40:57.577Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-16 07:16:47","lastModifiedDate":"2026-07-16 13:43:05","problem_types":["CWE-73","CWE-73 External Control of File Name or Path","CWE-73 CWE-73 External Control of File Name or Path"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.3,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-16T12:40:53.139979Z","id":"CVE-2026-12979","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"12979","Ordinal":"1","Title":"FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path T","CVE":"CVE-2026-12979","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"12979","Ordinal":"1","NoteData":"The FunnelKit  WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit  WordPress plugin before 3.15.0.6 or  (denial of service).","Type":"Description","Title":"FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path T"}]}}}