CVE-2025-26979: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-26979) was discovered in FunnelKit Funnel Builder WordPress plugin versions through 3.9.0. The vulnerability was reported on February 2, 2025, by security researcher Dimas Maulana and was publicly disclosed on February 23, 2025. This security flaw is related to improper control of filename for include/require statements in PHP programs (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. It is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability requires no authentication to exploit and affects the core functionality of the Funnel Builder plugin (NVD, Patchstack).

The vulnerability could allow malicious actors to include local files of the target website and display their contents. This could potentially expose sensitive information, including database credentials, which might lead to complete database compromise depending on the server configuration (Patchstack).

Users are strongly advised to update to version 3.9.1 or later, which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).