CVE-2026-15103 in WPFunnels Plugininfo

Summary

by MITRE • 07/16/2026

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in WPFunnels – Funnel Builder for WooCommerce plugin represents a critical privilege escalation issue affecting versions up to 3.12.8. This security flaw resides within the plugin's REST API implementation where the update_settings callback function fails to properly validate input parameters before processing them. The core technical weakness stems from insufficient validation of the group_id parameter which follows a loose regex pattern of [\w-]+ allowing malicious actors to manipulate the target option name. When this parameter is passed directly to get_option() and update_option() functions without proper sanitization, it creates an avenue for attackers to target sensitive WordPress options including wp_user_roles.

The operational impact of this vulnerability extends beyond simple privilege escalation as it allows authenticated attackers with minimal capabilities to gain complete administrative control over affected WordPress installations. Specifically, users possessing the wpf_manage_funnels capability can exploit this flaw by crafting malicious role definitions that write arbitrary capabilities into the wp_user_roles option. This manipulation effectively grants any WordPress role administrator-level access to the entire site, compromising all aspects of the WordPress environment including user management, plugin functionality, theme customization, and content modification. The vulnerability's exploitation requires only basic authentication privileges typically assigned to the Funnel Manager custom role created by the plugin, making it particularly dangerous as it can be leveraged by users who should not possess such elevated permissions.

Security researchers have identified this issue as aligning with CWE-264, which addresses Permissions, Privileges and Access Controls, specifically focusing on insufficient privilege management within web applications. The attack vector follows patterns consistent with ATT&CK technique T1078.004, which covers Valid Accounts with the use of compromised or misconfigured administrative privileges. Organizations running affected versions of this plugin face significant risk as attackers can exploit this vulnerability to establish persistent access, modify critical site components, and potentially use the compromised system as a launching point for further attacks against connected systems. The vulnerability's exploitation timeline is particularly concerning given that it requires no special technical skills beyond understanding basic WordPress role management concepts.

Mitigation strategies should begin with immediate patching of all affected plugin versions to the latest release addressing this security gap. Administrators must also implement strict capability management policies ensuring that only trusted users possess the wpf_manage_funnels role or higher privileges within their WordPress installations. Additional protective measures include monitoring for unauthorized changes to user roles and capabilities through WordPress logging mechanisms, implementing network-based intrusion detection systems to monitor for suspicious REST API activity, and conducting regular security audits of plugin configurations. Organizations should also consider removing the plugin entirely if it is not actively used, as this eliminates the attack surface while ensuring no vulnerable code remains in production environments.

Responsible

Wordfence

Reservation

07/08/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00319

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!