CVE-2024-5192 MEDIUM

CVE-2024-5192: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells <= 3.3.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

Vendor Amans2K
Product FunnelKit – Funnel Builder for WooCommerce Checkout
Weakness CWE-79 · XSS
Published June 29, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

June 29, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-51497 LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/print-customoid.php CVE-2025-48958 Froxlor has an HTML Injection Vulnerability CVE-2024-13509 WS Form LITE and PRO <= 1.10.13 - Unauthenticated Stored Cross-Site Scripting CVE-2024-4419 Fetch JFT <= 1.8.3 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2024-43305 WordPress Custom Layouts – Post + Product grids made easy plugin <= 1.4.11 - Cross Site Scripting (XSS) vulnerability