Remote Code Execution Vulnerability in WPFunnels Plugin for WooCommerce by WPPlugins
CVE-2026-14345
9.8CRITICAL
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 7 July 2026
What is CVE-2026-14345?
The WPFunnels – Funnel Builder for WooCommerce plugin is susceptible to Remote Code Execution due to inadequate sanitization of user input in the 'postData' parameter. This vulnerability arises when attacker-controlled postData values are written to a PHP-includeable log file without proper checks. If the logs are enabled and an administrator accesses the tainted log through the plugin’s Log Settings, it allows unauthenticated attackers to execute arbitrary code on the server. Notably, the nonce used for reaching the endpoint is publicly exposed on every funnel step page, making the process of exploitation entirely unauthenticated.
Affected Version(s)
WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell 0 <= 3.12.7