{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wpfunnels--funnel-builder-for-woocommerce-with-checkout--one-click-upsell-plugin--3.12.8/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-15103"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WPFunnels – Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell plugin (\u003c= 3.12.8)"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WPFunnels","WordPress"],"content_html":"\u003cp\u003eCVE-2026-15103 describes a critical privilege escalation vulnerability affecting all versions up to, and including, 3.12.8 of the \u0026quot;WPFunnels - Funnel Builder for WooCommerce with Checkout \u0026amp; One Click Upsell\u0026quot; plugin for WordPress. The flaw resides in the \u003ccode\u003eupdate_settings()\u003c/code\u003e REST callback, which fails to properly validate the \u003ccode\u003egroup_id\u003c/code\u003e path parameter. This allows authenticated attackers with the \u003ccode\u003ewpf_manage_funnels\u003c/code\u003e capability (typically assigned to the custom \u0026quot;Funnel Manager\u0026quot; role) to manipulate the \u003ccode\u003ewp_user_roles\u003c/code\u003e option. By injecting a specially crafted role definition, attackers can grant arbitrary capabilities, including full site administrator access, to any WordPress role. This vulnerability presents a significant risk to affected WordPress sites, as it allows users with limited privileges to escalate their access to administrator level, potentially leading to full site compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker, possessing at least the \u003ccode\u003ewpf_manage_funnels\u003c/code\u003e capability, accesses the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003e/wp-json/wp-funnels/v1/settings/update-settings/{group_id}\u003c/code\u003e REST endpoint.\u003c/li\u003e\n\u003cli\u003eIn this request, the attacker sets the \u003ccode\u003e{group_id}\u003c/code\u003e path parameter to \u003ccode\u003ewp_user_roles\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a payload in the request body containing a crafted role definition that grants administrator capabilities to an existing WordPress user role, or creates a new role with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eupdate_settings()\u003c/code\u003e REST callback, failing to validate \u003ccode\u003egroup_id\u003c/code\u003e against an allowlist, passes \u003ccode\u003ewp_user_roles\u003c/code\u003e directly to \u003ccode\u003eget_option()\u003c/code\u003e and \u003ccode\u003eupdate_option()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted role definition is written into the \u003ccode\u003ewp_user_roles\u003c/code\u003e option in the WordPress database, effectively modifying user roles and capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker, or another user, can then assume the modified role, gaining full site administrator access and control over the WordPress instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-15103 directly leads to full site compromise, as attackers can elevate their privileges to that of an administrator. This grants them complete control over the WordPress instance, including the ability to install malicious plugins, themes, modify site content, exfiltrate sensitive data, or inject web shells. While no specific victim numbers or sectors are mentioned, any WordPress site running the vulnerable WPFunnels plugin without appropriate patches is at risk. The financial and reputational damage from a complete site takeover can be substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15103 immediately by updating the \u0026quot;WPFunnels - Funnel Builder for WooCommerce with Checkout \u0026amp; One Click Upsell\u0026quot; plugin to version 3.12.9 or newer on all affected WordPress installations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect suspicious REST API calls attempting to modify the \u003ccode\u003ewp_user_roles\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs for anomalous \u003ccode\u003ePOST\u003c/code\u003e requests to the \u003ccode\u003e/wp-json/wp-funnels/v1/settings/update-settings/wp_user_roles\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T09:20:00Z","date_published":"2026-07-16T09:20:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-privilege-escalation/","summary":"Authenticated attackers with the `wpf_manage_funnels` capability can exploit CVE-2026-15103, a privilege escalation vulnerability in the `update_settings()` REST callback of the WPFunnels - Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell plugin for WordPress (versions up to and including 3.12.8), allowing them to gain full site administrator access by injecting a crafted role definition into the `wp_user_roles` option.","title":"WPFunnels Plugin Privilege Escalation via Arbitrary Option Update","url":"https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed - WPFunnels – Funnel Builder for WooCommerce With Checkout \u0026 One Click Upsell Plugin (\u003c= 3.12.8)","version":"https://jsonfeed.org/version/1.1"}