Remote Code Execution Vulnerability in WPFunnels Plugin for WooCommerce by WPPlugins
CVE-2026-14345

9.8CRITICAL

What is CVE-2026-14345?

The WPFunnels – Funnel Builder for WooCommerce plugin is susceptible to Remote Code Execution due to inadequate sanitization of user input in the 'postData' parameter. This vulnerability arises when attacker-controlled postData values are written to a PHP-includeable log file without proper checks. If the logs are enabled and an administrator accesses the tainted log through the plugin’s Log Settings, it allows unauthenticated attackers to execute arbitrary code on the server. Notably, the nonce used for reaching the endpoint is publicly exposed on every funnel step page, making the process of exploitation entirely unauthenticated.

Affected Version(s)

WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell 0 <= 3.12.7

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

thevietronin
.