CVE-2025-49034 HIGH

CVE-2025-49034: WordPress Funnel Builder by FunnelKit plugin <= 3.10.2 - SQL Injection vulnerability

Vendor Aman

Product Funnel Builder by FunnelKit

Weakness CWE-89 · SQLi

Published July 16, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Funnel Builder by FunnelKit funnel-builder allows SQL Injection.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.10.2.

Explanation of Vulnerability in Simple Terms

02Summary

Funnel Builder by FunnelKit versions 3.10.2 and earlier contain a SQL injection vulnerability accessible to high-privilege users. An attacker with admin or editor access can craft malicious input to execute arbitrary SQL queries, potentially reading sensitive database records. The vulnerability affects the site's database integrity and confidentiality.

What an attacker can do

03Attacker Capabilities

Read or modify database records by injecting SQL commands through the plugin interface.

Potential impact on your site

04Site Impact

Unauthorized database access or modification by compromised admin accounts; potential data breach or site malfunction.

Conditions required to exploit

05Prerequisites

Attacker must have high-privilege access (admin or editor role) to the WordPress site.

Key dates

06Disclosure timeline

July 16, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-49034 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities