CVE-2024-6836: CWE-862 Missing Authorization in amans2k Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells
The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple functions in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to update multiple settings, including templates, designs, checkouts, and other plugin settings.
CVE-2024-6836: CWE-862 Missing Authorization in amans2k Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells
Description
The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple functions in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to update multiple settings, including templates, designs, checkouts, and other plugin settings.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-17T16:00:26.233Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c0cb7ef31ef0b55f5fa
Added to database: 2/25/2026, 9:39:24 PM
Last updated: 2/25/2026, 9:41:31 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-3071: CWE-862 Missing Authorization in amaa ACF On-The-Go
MediumCVE-2024-3070: CWE-502 Deserialization of Untrusted Data in jottlieb Last Viewed Posts by WPBeginner
CriticalCVE-2024-3068: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mgibbs189 Custom Field Suite
MediumCVE-2024-3067: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in aukejomm WooCommerce Google Feed Manager
HighCVE-2024-3066: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aruphash Elegant Addons for elementor
MediumActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.