Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15103

CVE-2026-15103: WPFunnels Privilege Escalation Vulnerability

CVE-2026-15103 is a privilege escalation vulnerability in WPFunnels plugin for WordPress that allows attackers to gain administrator access. This post covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-15103 Overview

CVE-2026-15103 is a privilege escalation vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress. The flaw affects all versions up to and including 3.12.8. The update_settings() REST callback fails to validate the group_id path parameter against an allowlist before passing it to get_option() and update_option(). Authenticated attackers with the wpf_manage_funnels capability can overwrite the wp_user_roles option and grant any WordPress role full administrator capabilities. The vulnerability is tracked under [CWE-269: Improper Privilege Management].

Critical Impact

Any user assigned the plugin's Funnel Manager role can escalate to full site administrator by writing a crafted role definition into the wp_user_roles option.

Affected Products

  • WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress
  • All versions up to and including 3.12.8
  • WordPress sites using WooCommerce with the WPFunnels plugin installed

Discovery Timeline

  • 2026-07-16 - CVE-2026-15103 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-15103

Vulnerability Analysis

The vulnerability resides in the plugin's REST API settings controller at includes/core/rest-api/Controllers/class-settings-controller.php. The route registers a group_id path parameter that accepts any string matching the loose [\w-]+ regular expression. The update_settings() callback then passes this attacker-controlled value directly to WordPress core option functions without checking it against an allowlist of expected group identifiers.

Because the regex accepts any word characters and hyphens, attackers can supply wp_user_roles — a core WordPress option that defines every role and its capabilities across the site. Writing to this option lets an attacker redefine what any role, including their own, is authorized to do.

Root Cause

The root cause is missing input validation on the group_id parameter used to select which option to read and write. The controller trusts the router-level regex as a security boundary, but [\w-]+ matches sensitive core option names such as wp_user_roles. Without an allowlist, the plugin turns arbitrary WordPress options into attacker-writable data.

Attack Vector

An authenticated user with the wpf_manage_funnels capability — assigned by default to the plugin's Funnel Manager custom role — sends an authenticated request to the plugin's settings REST endpoint. The request targets the wp_user_roles group and supplies a JSON payload that redefines an existing role, for example the Subscriber or Funnel Manager role, to include the manage_options and administrator-tier capabilities. After the option is written, the attacker's account inherits the elevated capability set and can perform any administrator action, including plugin installation and PHP execution via themes.

No verified public exploit code is available. Technical details are documented in the Wordfence Vulnerability Report and the WordPress Plugin Changeset.

Detection Methods for CVE-2026-15103

Indicators of Compromise

  • Unexpected modifications to the wp_user_roles row in the WordPress wp_options table.
  • New administrator accounts, or existing low-privilege accounts suddenly performing administrator-only actions such as plugin installation.
  • REST API requests to the WPFunnels settings endpoint containing group_id=wp_user_roles in the URL path or request body.
  • Web server access logs showing POST or PUT requests to /wp-json/wpfunnels/ settings routes from accounts holding the wpf_manage_funnels capability.

Detection Strategies

  • Enable WordPress audit logging to track changes to the wp_user_roles option and to core role and capability assignments.
  • Alert on any WordPress user whose capability set expands to include manage_options, install_plugins, or edit_users outside of a change window.
  • Inspect REST API traffic for group_id path segments that reference WordPress core option names rather than plugin-scoped identifiers.

Monitoring Recommendations

  • Forward WordPress and web server logs to a centralized analytics platform for correlation of privilege changes with the originating user session.
  • Monitor for post-exploitation behavior such as new plugin uploads, theme file edits, and outbound requests from wp-admin sessions.
  • Baseline the expected set of administrators and generate alerts on deviations.

How to Mitigate CVE-2026-15103

Immediate Actions Required

  • Update the WPFunnels plugin to the version released in the fixing changeset immediately on every WordPress site where it is installed.
  • Audit all WordPress accounts and remove the wpf_manage_funnels capability from users who do not require it.
  • Review the wp_user_roles option and restore it from a known-good backup if unauthorized capability grants are present.
  • Rotate credentials for any account that could have been used to trigger the vulnerability.

Patch Information

The vendor addressed the flaw in the changeset referenced by the WordPress Plugin Changeset. Administrators should upgrade past version 3.12.8. Vulnerable code paths are documented in the class-settings-controller.php source and the wpfnl-functions.php utility.

Workarounds

  • Temporarily deactivate the WPFunnels plugin until it can be updated to a patched release.
  • Remove the Funnel Manager custom role or revoke the wpf_manage_funnels capability from all non-administrator accounts.
  • Restrict access to the /wp-json/wpfunnels/ REST namespace at the web application firewall to trusted administrator IP addresses.
  • Enforce multi-factor authentication for every WordPress account with editing privileges.
bash
# Configuration example: restrict the WPFunnels REST namespace at the web server
location ~ ^/wp-json/wpfunnels/ {
    allow 203.0.113.10;   # trusted admin IP
    deny  all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.