{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wpfunnels--funnel-builder-for-woocommerce-with-checkout--one-click-upsell-plugin--3.12.7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-14345"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WPFunnels – Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell plugin \u003c= 3.12.7"],"_cs_severities":["critical"],"_cs_tags":["web-exploit","rce","wordpress","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WPFunnels","WordPress"],"content_html":"\u003cp\u003eA critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-14345, has been identified in the WPFunnels – Funnel Builder for WooCommerce with Checkout \u0026amp; One Click Upsell plugin for WordPress, impacting all versions up to and including 3.12.7. This flaw allows unauthenticated attackers to execute arbitrary code on the server by exploiting an unsanitized write of attacker-controlled data from the 'postData' parameter into a PHP-includeable \u003ccode\u003e.log\u003c/code\u003e file. The vulnerability is triggered when an administrator subsequently views the polluted log file via the plugin's Log Settings View UI, leading to the execution of the injected code via \u003ccode\u003einclude_once\u003c/code\u003e. While this requires the \u0026quot;Enable Logs\u0026quot; setting to be active and an administrator viewing the log, the nonce needed for the initial injection step is publicly exposed on every funnel step page, making the initial code injection fully unauthenticated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site utilizing a vulnerable version (\u0026lt;= 3.12.7) of the WPFunnels plugin, where the \u0026quot;Enable Logs\u0026quot; setting is active.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses any publicly available funnel step page on the target WordPress site to harvest the nonce, which is publicly emitted and required for the next step.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the plugin's \u0026quot;optin endpoint,\u0026quot; embedding PHP code within the 'postData' parameter, along with the previously retrieved nonce.\u003c/li\u003e\n\u003cli\u003eDue to improper input sanitization, the vulnerable WPFunnels plugin writes the attacker-controlled 'postData', including the malicious PHP code, directly into a PHP-includeable \u003ccode\u003e.log\u003c/code\u003e file on the web server's filesystem.\u003c/li\u003e\n\u003cli\u003eAn administrator of the WordPress site later navigates to the WPFunnels plugin's Log Settings View UI within the WordPress administrative dashboard, potentially for routine monitoring or troubleshooting.\u003c/li\u003e\n\u003cli\u003eUpon viewing the logs, the plugin's \u003ccode\u003ewpfnl_show_log\u003c/code\u003e function uses \u003ccode\u003einclude_once\u003c/code\u003e to render the content of the polluted \u003ccode\u003e.log\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einclude_once\u003c/code\u003e call executes the malicious PHP code previously injected by the attacker, leading to unauthenticated Remote Code Execution on the underlying web server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14345 results in unauthenticated Remote Code Execution (RCE) on the vulnerable WordPress web server. This provides attackers with full control over the compromised server, enabling them to deface the website, inject malware, exfiltrate sensitive data, establish persistence, or use the server as a pivot point for further attacks on the internal network. The CVSS v3.1 base score of 9.8 indicates a critical severity, highlighting the ease of exploitation and significant potential for damage, impacting any organization running the affected plugin versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-14345 immediately by updating the \u0026quot;WPFunnels – Funnel Builder for WooCommerce with Checkout \u0026amp; One Click Upsell plugin\u0026quot; to a version greater than 3.12.7.\u003c/li\u003e\n\u003cli\u003eReview WordPress \u003ccode\u003ewebserver\u003c/code\u003e access logs for unusual POST requests targeting plugin-related \u0026quot;optin endpoints\u0026quot; that might contain suspicious data in the request body, indicating exploitation attempts for CVE-2026-14345.\u003c/li\u003e\n\u003cli\u003eMonitor file integrity and changes within the \u003ccode\u003ewp-content/plugins/wpfunnels/\u003c/code\u003e directory, specifically looking for unexpected modifications or creations of \u003ccode\u003e.log\u003c/code\u003e or \u003ccode\u003e.php\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eIf the plugin's \u0026quot;Enable Logs\u0026quot; setting is not essential for operational requirements, consider disabling it to eliminate the log file pollution vector associated with CVE-2026-14345.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T06:22:20Z","date_published":"2026-07-07T06:22:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-rce/","summary":"An unauthenticated remote code execution vulnerability (CVE-2026-14345) exists in the WPFunnels – Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell plugin for WordPress, affecting versions up to and including 3.12.7, allowing attackers to inject malicious PHP code into a log file via the 'postData' parameter, which is then executed when an administrator views the log.","title":"CVE-2026-14345: Unauthenticated Remote Code Execution in WPFunnels WordPress Plugin","url":"https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - WPFunnels – Funnel Builder for WooCommerce With Checkout \u0026 One Click Upsell Plugin \u003c= 3.12.7","version":"https://jsonfeed.org/version/1.1"}