Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14345

CVE-2026-14345: WPFunnels WordPress Plugin RCE Vulnerability

CVE-2026-14345 is a remote code execution vulnerability in the WPFunnels plugin for WordPress that allows unauthenticated attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-14345 Overview

CVE-2026-14345 is a remote code execution vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress. The flaw affects all versions up to and including 3.12.7 and stems from unsanitized handling of the postData parameter. Attacker-controlled input is written directly into a .log file that the plugin later renders through include_once in the wpfnl_show_log function. Unauthenticated attackers can inject PHP code because the nonce required to reach the optin endpoint is emitted publicly on every funnel step page. The vulnerability is tracked under [CWE-434] and carries an EPSS score of 0.745%.

Critical Impact

Unauthenticated attackers can achieve remote code execution on affected WordPress servers once an administrator opens the polluted log through the plugin's Log Settings View UI.

Affected Products

  • WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell (WordPress plugin)
  • All versions up to and including 3.12.7
  • Fixed in version 3.12.8

Discovery Timeline

  • 2026-07-07 - CVE-2026-14345 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-14345

Vulnerability Analysis

The vulnerability chains two insecure behaviors within the WPFunnels plugin. First, the optin AJAX endpoint accepts the postData parameter and writes its contents into a .log file without sanitization or validation. Second, the plugin's Log Settings View uses include_once to render that log file, causing PHP execution of any embedded code. Because the nonce protecting the optin endpoint is publicly exposed on every funnel step page, an unauthenticated attacker can retrieve it and submit a malicious payload. The final trigger requires an administrator to open the polluted log through the plugin UI, converting an unauthenticated injection into full server-side code execution.

Root Cause

The root cause is unrestricted file upload behavior classified under [CWE-434]. The plugin trusts client-supplied postData values, writes them verbatim to a PHP-includeable file, and later evaluates that file with include_once in wpfnl_show_log. See the WordPress Plugin Code Snippet and the AJAX handler reference for the vulnerable code paths.

Attack Vector

An unauthenticated attacker retrieves the publicly emitted nonce from a funnel step page and submits crafted postData to the optin endpoint. The submitted PHP payload is written into the log file. When the Log Settings "Enable Logs" toggle is on and an administrator opens the log view, the plugin includes the file and executes the attacker's code with the privileges of the PHP process. See the Wordfence Vulnerability Report for additional detail on the exploitation chain.

Detection Methods for CVE-2026-14345

Indicators of Compromise

  • Presence of .log files under the WPFunnels plugin directory containing PHP tags such as <?php or <?=.
  • Unexpected POST requests to the WPFunnels optin AJAX endpoint from unauthenticated sources.
  • New or modified PHP files, web shells, or scheduled tasks created shortly after log views by administrators.

Detection Strategies

  • Inspect WPFunnels log files for embedded PHP syntax and non-standard log formatting.
  • Monitor wp-admin/admin-ajax.php traffic for requests containing the WPFunnels optin action with suspicious postData payloads.
  • Correlate administrator access to the plugin's Log Settings View with subsequent process spawns from the web server user.

Monitoring Recommendations

  • Enable file integrity monitoring on the wp-content/plugins/wpfunnels/ directory.
  • Alert on outbound connections from the PHP-FPM or web server process to unfamiliar hosts.
  • Log and review all administrator navigation to the WPFunnels Log Settings screen.

How to Mitigate CVE-2026-14345

Immediate Actions Required

  • Update the WPFunnels plugin to version 3.12.8 or later immediately.
  • Disable the plugin's Log Settings "Enable Logs" toggle until patching is complete.
  • Audit the plugin log directory for existing .log files containing PHP code and remove any suspicious entries.
  • Rotate WordPress administrator credentials and secret keys if compromise is suspected.

Patch Information

The vendor addressed CVE-2026-14345 in WPFunnels version 3.12.8. Details are available in the WordPress Plugin Version Update and the WordPress Plugin Change Log.

Workarounds

  • Disable the WPFunnels plugin entirely until the upgrade to 3.12.8 is applied.
  • Turn off the "Enable Logs" option in WPFunnels Log Settings to prevent writing attacker-controlled data to disk.
  • Restrict access to wp-admin/admin-ajax.php at the web application firewall layer for the WPFunnels optin action from unauthenticated sources.
bash
# Configuration example: block execution of PHP inside the plugin log directory (Apache)
<Directory "/var/www/html/wp-content/plugins/wpfunnels/logs">
    <FilesMatch "\.(log|php)$">
        Require all denied
    </FilesMatch>
    php_flag engine off
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.