CVE-2026-14345

getwpfunnels · WPFunnels – Funnel Builder for WooCommerce

The WPFunnels WordPress plugin is vulnerable to unauthenticated remote code execution due to improper sanitization of log data combined with unsafe file inclusion.

Executive summary

An unauthenticated remote code execution vulnerability in the WPFunnels WordPress plugin allows attackers to compromise the server via the plugin's log settings.

Vulnerability

The vulnerability allows an unauthenticated attacker to inject malicious code into a log file via the 'postData' parameter. If the "Enable Logs" setting is active, an administrator viewing the logs will trigger an include_once operation on the polluted log file, leading to arbitrary code execution.

Business impact

Successful exploitation allows an attacker to gain full control over the WordPress environment and the underlying web server. This poses a catastrophic risk, including the theft of WooCommerce transaction data, customer credentials, and total site takeover. Given the 9.8 CVSS score, this is an extremely high-priority threat for any e-commerce platform using this plugin.

Remediation

Immediate Action: Update the WPFunnels plugin to the latest available version beyond 3.12.7.

Proactive Monitoring: Review web server logs for suspicious POST requests to funnel step pages and monitor for unauthorized file modifications or changes to plugin configurations.

Compensating Controls: Disable the "Enable Logs" feature in the WPFunnels settings immediately to prevent the triggering of the malicious code inclusion until the plugin is updated.

Exploitation status

Public Exploit Available: False

Analyst recommendation

The severity of this remote code execution flaw necessitates immediate patching. If an update cannot be performed immediately, disabling the logging feature is a mandatory compensating control to mitigate the risk of triggering the exploit.