Privilege Escalation Vulnerability in WPFunnels Plugin for WooCommerce
CVE-2026-15103

8.8HIGH

What is CVE-2026-15103?

The WPFunnels plugin for WooCommerce is susceptible to a privilege escalation vulnerability due to improper validation of parameters in the update_settings() REST callback. Attackers with appropriate capabilities (e.g., wpf_manage_funnels) can exploit this flaw, allowing them to manipulate the wp_user_roles option. This could lead to an unauthorized elevation of privileges, permitting these attackers to assume administrative control of the WordPress site. This vulnerability affects all versions up to and including 3.12.8.

Affected Version(s)

WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell 0 <= 3.12.8

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.