CVE-2026-14345 in WPFunnels Plugin
Summary
by MITRE • 07/07/2026
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values into a PHP-includeable .log file combined with the use of include_once to render that file in wpfnl_show_log. This makes it possible for unauthenticated attackers to execute code on the server. Exploitation requires that the Log Settings "Enable Logs" toggle is on and that an administrator subsequently opens the polluted log file via the plugin's Log Settings View UI; however, the nonce required to reach the optin endpoint is publicly emitted on every funnel step page, so the injection step itself is fully unauthenticated.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
This vulnerability exists within the WPFunnels plugin for WordPress, specifically affecting versions through 3.12.7, presenting a critical remote code execution risk that stems from improper input validation and insecure file handling practices. The flaw manifests through the 'postData' parameter which receives attacker-controlled data without adequate sanitization before being written to a log file that is subsequently included by the application. This represents a classic path to remote code execution via file inclusion vulnerabilities, where the attacker can inject malicious PHP code into what becomes an includeable log file.
The technical exploitation chain begins with the attacker leveraging the publicly exposed nonce present on every funnel step page to bypass authentication requirements for the injection endpoint. The vulnerability is compounded by the plugin's use of include_once to process the log files, which means that any PHP code injected into the .log file will be executed within the context of the web server. This creates a scenario where an unauthenticated attacker can write malicious PHP payloads to the log file through the postData parameter and subsequently trigger their execution when administrators view the log files through the plugin's administrative interface.
The operational impact of this vulnerability is severe as it allows attackers to gain complete control over affected WordPress installations, potentially leading to data breaches, defacement, or further compromise of the underlying infrastructure. The requirement for administrator interaction to execute the malicious code does not mitigate the risk significantly since the nonce exposure removes authentication barriers entirely, making this a fully unauthenticated attack vector. This vulnerability directly maps to CWE-94 (Improper Control of Generation of Code) and CWE-20 (Improper Input Validation), both of which are categorized under the broader category of code injection flaws that can lead to complete system compromise.
Security mitigations for this vulnerability should include immediate patching to version 3.12.8 or later, where the plugin developers have addressed the input sanitization issues and removed the vulnerable file inclusion mechanism. Until patching is possible, administrators should disable the logging functionality within the plugin when not actively needed and implement network-level restrictions to prevent unauthorized access to the plugin's administrative endpoints. Additionally, monitoring for unusual log file modifications and implementing proper input validation at all entry points can help detect and prevent exploitation attempts. The vulnerability also aligns with ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell) and T1566.002 (Phishing: Spearphishing Attachment), as attackers could leverage this vulnerability to establish persistent access or deliver additional payloads through the compromised system.
The root cause of this vulnerability lies in the plugin's failure to properly sanitize user input before incorporating it into server-side operations, combined with insecure file handling practices that allow arbitrary code inclusion. This represents a fundamental security misconfiguration where the application treats potentially malicious data as trusted content, creating an attack surface that can be exploited without any privileged access or complex exploitation techniques. The vulnerability demonstrates how seemingly minor oversights in input validation and file handling can create catastrophic security implications for web applications.