CVE-2026-14345 Overview
CVE-2026-14345 is a remote code execution vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress. The flaw affects all versions up to and including 3.12.7 and stems from unsanitized handling of the postData parameter. Attacker-controlled input is written directly into a .log file that the plugin later renders through include_once in the wpfnl_show_log function. Unauthenticated attackers can inject PHP code because the nonce required to reach the optin endpoint is emitted publicly on every funnel step page. The vulnerability is tracked under [CWE-434] and carries an EPSS score of 0.745%.
Critical Impact
Unauthenticated attackers can achieve remote code execution on affected WordPress servers once an administrator opens the polluted log through the plugin's Log Settings View UI.
Affected Products
- WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell (WordPress plugin)
- All versions up to and including 3.12.7
- Fixed in version 3.12.8
Discovery Timeline
- 2026-07-07 - CVE-2026-14345 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-14345
Vulnerability Analysis
The vulnerability chains two insecure behaviors within the WPFunnels plugin. First, the optin AJAX endpoint accepts the postData parameter and writes its contents into a .log file without sanitization or validation. Second, the plugin's Log Settings View uses include_once to render that log file, causing PHP execution of any embedded code. Because the nonce protecting the optin endpoint is publicly exposed on every funnel step page, an unauthenticated attacker can retrieve it and submit a malicious payload. The final trigger requires an administrator to open the polluted log through the plugin UI, converting an unauthenticated injection into full server-side code execution.
Root Cause
The root cause is unrestricted file upload behavior classified under [CWE-434]. The plugin trusts client-supplied postData values, writes them verbatim to a PHP-includeable file, and later evaluates that file with include_once in wpfnl_show_log. See the WordPress Plugin Code Snippet and the AJAX handler reference for the vulnerable code paths.
Attack Vector
An unauthenticated attacker retrieves the publicly emitted nonce from a funnel step page and submits crafted postData to the optin endpoint. The submitted PHP payload is written into the log file. When the Log Settings "Enable Logs" toggle is on and an administrator opens the log view, the plugin includes the file and executes the attacker's code with the privileges of the PHP process. See the Wordfence Vulnerability Report for additional detail on the exploitation chain.
Detection Methods for CVE-2026-14345
Indicators of Compromise
- Presence of .log files under the WPFunnels plugin directory containing PHP tags such as <?php or <?=.
- Unexpected POST requests to the WPFunnels optin AJAX endpoint from unauthenticated sources.
- New or modified PHP files, web shells, or scheduled tasks created shortly after log views by administrators.
Detection Strategies
- Inspect WPFunnels log files for embedded PHP syntax and non-standard log formatting.
- Monitor wp-admin/admin-ajax.php traffic for requests containing the WPFunnels optin action with suspicious postData payloads.
- Correlate administrator access to the plugin's Log Settings View with subsequent process spawns from the web server user.
Monitoring Recommendations
- Enable file integrity monitoring on the wp-content/plugins/wpfunnels/ directory.
- Alert on outbound connections from the PHP-FPM or web server process to unfamiliar hosts.
- Log and review all administrator navigation to the WPFunnels Log Settings screen.
How to Mitigate CVE-2026-14345
Immediate Actions Required
- Update the WPFunnels plugin to version 3.12.8 or later immediately.
- Disable the plugin's Log Settings "Enable Logs" toggle until patching is complete.
- Audit the plugin log directory for existing .log files containing PHP code and remove any suspicious entries.
- Rotate WordPress administrator credentials and secret keys if compromise is suspected.
Patch Information
The vendor addressed CVE-2026-14345 in WPFunnels version 3.12.8. Details are available in the WordPress Plugin Version Update and the WordPress Plugin Change Log.
Workarounds
- Disable the WPFunnels plugin entirely until the upgrade to 3.12.8 is applied.
- Turn off the "Enable Logs" option in WPFunnels Log Settings to prevent writing attacker-controlled data to disk.
- Restrict access to wp-admin/admin-ajax.php at the web application firewall layer for the WPFunnels optin action from unauthenticated sources.
# Configuration example: block execution of PHP inside the plugin log directory (Apache)
<Directory "/var/www/html/wp-content/plugins/wpfunnels/logs">
<FilesMatch "\.(log|php)$">
Require all denied
</FilesMatch>
php_flag engine off
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

