CVE-2026-3645 in Punnel Plugin
Summary
by MITRE • 03/21/2026
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff_requests() at /?punnel_api=1) — which only validates requests by comparing a POST token against the stored api_key — to create, update, or delete arbitrary posts, pages, and products on the site.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-3645 affects the Punnel – Landing Page Builder plugin for WordPress, exposing a critical authorization flaw that enables authenticated attackers to compromise plugin configurations and potentially execute arbitrary actions on affected sites. This issue exists in all versions up to and including 1.3.1, representing a significant security weakness that undermines the integrity of the plugin's administrative functions. The vulnerability stems from insufficient access control mechanisms within the plugin's core functionality, specifically in how it handles administrative operations through its AJAX interface.
The technical flaw manifests in the save_config() function which processes the 'punnel_save_config' AJAX action without implementing proper capability checks or nonce validation. This function lacks the standard WordPress security measures such as current_user_can() checks that verify whether the requesting user possesses adequate permissions to perform administrative tasks. Additionally, the absence of nonce verification creates an opportunity for attackers to forge requests without proper authorization. The vulnerability affects users with Subscriber-level access or higher, meaning even low-privilege accounts can exploit this flaw to gain unauthorized control over plugin settings. The missing authorization checks create a direct pathway for privilege escalation within the plugin's administrative scope.
The operational impact of this vulnerability extends beyond simple configuration changes, as it enables attackers to fully compromise the plugin's functionality and potentially gain broader control over the WordPress site. Once an attacker successfully overwrites the plugin configuration, they can modify the API key stored within the plugin settings. This API key serves as the primary authentication mechanism for the plugin's public API endpoint, which is accessible through the sniff_requests() function at the /?punnel_api=1 endpoint. The attacker can then leverage this compromised API key to perform unauthorized operations including creating, updating, or deleting posts, pages, and products within the WordPress installation. This creates a persistent threat vector that allows attackers to manipulate site content and potentially cause data loss or compromise the site's integrity.
The security implications of this vulnerability align with CWE-863, which addresses "Incorrect Authorization" in software systems, and can be mapped to ATT&CK technique T1078.004 for Valid Accounts and T1566.001 for Phishing with Malicious Attachments, as attackers can leverage compromised subscriber accounts to gain elevated privileges. The vulnerability represents a classic case of insufficient authorization controls where the plugin fails to properly validate user permissions before executing administrative functions. Organizations running affected versions of the Punnel plugin face significant risk of content manipulation, potential data exfiltration, and service disruption. The ease of exploitation through standard WordPress administrative interfaces makes this vulnerability particularly dangerous, as attackers can leverage existing user accounts rather than requiring additional credential compromise.
Mitigation strategies should prioritize immediate patching of the plugin to the latest version that addresses this authorization flaw. Administrators should implement additional security measures including monitoring for unauthorized configuration changes, restricting access to administrative interfaces, and implementing proper user role management to limit subscriber privileges where possible. Network-level monitoring should be deployed to detect unusual patterns in API endpoint access and POST requests to admin-ajax.php. Security professionals should also consider implementing web application firewalls to filter malicious requests and establish baseline configurations for plugin settings that prevent unauthorized modifications. Regular security audits of WordPress plugins and themes should be conducted to identify similar authorization flaws across the entire WordPress ecosystem, ensuring comprehensive protection against similar vulnerabilities in the future.