Product
Authenticated attackers with the `wpf_manage_funnels` capability can exploit CVE-2026-15103, a privilege escalation vulnerability in the `update_settings()` REST callback of the WPFunnels - Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress (versions up to and including 3.12.8), allowing them to gain full site administrator access by injecting a crafted role definition into the `wp_user_roles` option.