Privilege Escalation Vulnerability in WPFunnels Plugin for WooCommerce
CVE-2026-15103
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-15103?
The WPFunnels plugin for WooCommerce is susceptible to a privilege escalation vulnerability due to improper validation of parameters in the update_settings() REST callback. Attackers with appropriate capabilities (e.g., wpf_manage_funnels) can exploit this flaw, allowing them to manipulate the wp_user_roles option. This could lead to an unauthorized elevation of privileges, permitting these attackers to assume administrative control of the WordPress site. This vulnerability affects all versions up to and including 3.12.8.
Affected Version(s)
WPFunnels β Funnel Builder for WooCommerce with Checkout & One Click Upsell 0 <= 3.12.8