CVE-2026-13080 Overview
CVE-2026-13080 is a Local File Inclusion (LFI) vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress. All versions up to and including 3.12.7 are affected. The flaw exists in the handling of the logKey parameter within the plugin's settings module. Authenticated attackers holding administrator-level access or higher can include and execute arbitrary .php files located on the server. Successful exploitation permits execution of PHP code, bypass of access controls, disclosure of sensitive data, and code execution when attackers can also upload .php files. The issue is tracked as CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.
Critical Impact
Authenticated administrators can include arbitrary local .php files through the logKey parameter, enabling PHP code execution on the WordPress host.
Affected Products
- WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress
- All versions up to and including 3.12.7
- WordPress sites using vulnerable settings module class-wpfnl-settings.php
Discovery Timeline
- 2026-07-09 - CVE-2026-13080 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-13080
Vulnerability Analysis
The WPFunnels plugin exposes a settings endpoint that accepts a user-controlled logKey parameter. The plugin uses this value to construct a filesystem path passed to a PHP include or require call. Because the parameter is not properly validated or restricted to an allow-list of expected log identifiers, an attacker can supply path traversal sequences or absolute references pointing at other .php files on the server.
When the manipulated path is included, PHP parses and executes the target file in the context of the WordPress process. This turns any writable .php file on the host into an execution primitive. Attackers can combine the flaw with file upload functionality, plugin caches, or session storage to stage a payload file and then trigger it through logKey.
The vulnerability requires administrator-level privileges, which limits blind external exploitation but does not neutralize the risk. Compromised admin accounts, credential stuffing, phishing, or a secondary privilege escalation are common preconditions on WordPress deployments.
Root Cause
The root cause is unsafe use of externally influenced input in a PHP include statement. Relevant code paths in admin/modules/settings/class-wpfnl-settings.php at lines 181, 703, and 709, along with the AJAX helper vendor/philipnewcomer/wp-ajax-helper/src/components/Utility.php at line 26, incorporate the logKey value into an include path without normalizing the path or verifying it resolves inside an intended log directory.
Attack Vector
Exploitation is performed over the network against a WordPress site running WPFunnels <= 3.12.7. An authenticated administrator sends a crafted request containing a logKey value that references a chosen .php file. The plugin resolves the path and includes the file, executing its PHP contents. See the Wordfence Vulnerability Report and the WPFunnels 3.12.6 settings source for the affected code paths.
Detection Methods for CVE-2026-13080
Indicators of Compromise
- Requests to WPFunnels admin AJAX endpoints containing a logKey parameter with path traversal sequences such as ../ or absolute filesystem paths
- Unexpected inclusion or execution of .php files from outside the plugin's log directory recorded in web server or PHP error logs
- New or modified .php files in wp-content/uploads/ timestamped near suspicious admin sessions
- Outbound network connections initiated by the PHP-FPM or web server process following WPFunnels settings requests
Detection Strategies
- Inspect HTTP access logs for POST or GET requests to WPFunnels settings and AJAX handlers referencing the logKey parameter with non-standard values
- Alert on WordPress administrator sessions that access plugin settings from unusual IP addresses or user-agent strings
- Enable and review PHP open_basedir or WAF logs that flag include operations against paths outside wp-content/plugins/wpfunnels/
Monitoring Recommendations
- Monitor WordPress wp_users and wp_usermeta for unexpected role changes to administrator that could precede exploitation
- Track file integrity on wp-content/plugins/wpfunnels/ and the WordPress uploads directory to identify newly written .php files
- Aggregate WordPress audit logs and web server logs into a central platform and alert on logKey parameter anomalies
How to Mitigate CVE-2026-13080
Immediate Actions Required
- Update the WPFunnels plugin to a version later than 3.12.7 as soon as a patched release is available from the vendor
- Audit all WordPress accounts with administrator or equivalent roles and remove or rotate credentials for unused accounts
- Enforce multi-factor authentication for every administrator account to reduce the risk of admin-level compromise
- Review web server, PHP, and WordPress logs for prior requests containing suspicious logKey values
Patch Information
The vulnerability affects WPFunnels through version 3.12.7. Vendor code changes are tracked in the WPFunnels plugin changeset 3597260. Administrators should apply the fixed release published by the plugin author and verify the installed version reports higher than 3.12.7 after the update.
Workarounds
- Deactivate and remove the WPFunnels plugin on sites that cannot be patched immediately
- Restrict access to /wp-admin/ using IP allow-listing at the web server or WAF layer to limit exposure of the vulnerable endpoint
- Configure PHP open_basedir to constrain include paths to the WordPress installation directory and block traversal to unrelated .php files
- Deploy a WordPress WAF rule that blocks requests where the logKey parameter contains ../, null bytes, or absolute paths
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

