CVE-2026-15103
getwpfunnels · WPFunnels – Funnel Builder for WooCommerce
The WPFunnels plugin for WordPress is vulnerable to privilege escalation via an arbitrary option update, allowing authenticated users to modify sensitive application settings.
Executive summary
The WPFunnels plugin for WordPress contains a privilege escalation vulnerability that permits authenticated users to modify critical settings and elevate their privileges.
Vulnerability
This vulnerability (CWE-269) occurs due to improper privilege management during option updates within the plugin's REST API controllers. An attacker with low-level authenticated access can manipulate application options to escalate their privileges.
Business impact
With a CVSS score of 8.8, this vulnerability represents a high risk to the integrity and security of the WordPress environment. Unauthorized privilege escalation allows an attacker to gain administrative control over the WooCommerce storefront, leading to potential data theft, financial manipulation, and total site compromise.
Remediation
Immediate Action: Update the WPFunnels plugin to the latest version beyond 3.12.8 to apply the necessary security patches.
Proactive Monitoring: Review WordPress user account activity logs for unauthorized privilege changes or suspicious configuration modifications.
Compensating Controls: Restrict access to administrative and settings-related REST API endpoints using security plugins or WAF rules until the patch is applied.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this privilege escalation flaw necessitates an immediate update to the plugin. Security teams should ensure that all WordPress installations using WPFunnels are patched to the latest version to prevent unauthorized access and potential administrative takeover.