<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WPFunnels – Funnel Builder for WooCommerce With Checkout &amp; One Click Upsell Plugin (&lt;= 3.12.8) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/wpfunnels--funnel-builder-for-woocommerce-with-checkout--one-click-upsell-plugin--3.12.8/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 09:20:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/wpfunnels--funnel-builder-for-woocommerce-with-checkout--one-click-upsell-plugin--3.12.8/feed.xml" rel="self" type="application/rss+xml"/><item><title>WPFunnels Plugin Privilege Escalation via Arbitrary Option Update</title><link>https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-privilege-escalation/</link><pubDate>Thu, 16 Jul 2026 09:20:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-privilege-escalation/</guid><description>Authenticated attackers with the `wpf_manage_funnels` capability can exploit CVE-2026-15103, a privilege escalation vulnerability in the `update_settings()` REST callback of the WPFunnels - Funnel Builder for WooCommerce with Checkout &amp; One Click Upsell plugin for WordPress (versions up to and including 3.12.8), allowing them to gain full site administrator access by injecting a crafted role definition into the `wp_user_roles` option.</description><content:encoded><![CDATA[<p>CVE-2026-15103 describes a critical privilege escalation vulnerability affecting all versions up to, and including, 3.12.8 of the &quot;WPFunnels - Funnel Builder for WooCommerce with Checkout &amp; One Click Upsell&quot; plugin for WordPress. The flaw resides in the <code>update_settings()</code> REST callback, which fails to properly validate the <code>group_id</code> path parameter. This allows authenticated attackers with the <code>wpf_manage_funnels</code> capability (typically assigned to the custom &quot;Funnel Manager&quot; role) to manipulate the <code>wp_user_roles</code> option. By injecting a specially crafted role definition, attackers can grant arbitrary capabilities, including full site administrator access, to any WordPress role. This vulnerability presents a significant risk to affected WordPress sites, as it allows users with limited privileges to escalate their access to administrator level, potentially leading to full site compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker, possessing at least the <code>wpf_manage_funnels</code> capability, accesses the WordPress site.</li>
<li>The attacker crafts a malicious request targeting the <code>/wp-json/wp-funnels/v1/settings/update-settings/{group_id}</code> REST endpoint.</li>
<li>In this request, the attacker sets the <code>{group_id}</code> path parameter to <code>wp_user_roles</code>.</li>
<li>The attacker includes a payload in the request body containing a crafted role definition that grants administrator capabilities to an existing WordPress user role, or creates a new role with elevated privileges.</li>
<li>The vulnerable <code>update_settings()</code> REST callback, failing to validate <code>group_id</code> against an allowlist, passes <code>wp_user_roles</code> directly to <code>get_option()</code> and <code>update_option()</code>.</li>
<li>The crafted role definition is written into the <code>wp_user_roles</code> option in the WordPress database, effectively modifying user roles and capabilities.</li>
<li>The attacker, or another user, can then assume the modified role, gaining full site administrator access and control over the WordPress instance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-15103 directly leads to full site compromise, as attackers can elevate their privileges to that of an administrator. This grants them complete control over the WordPress instance, including the ability to install malicious plugins, themes, modify site content, exfiltrate sensitive data, or inject web shells. While no specific victim numbers or sectors are mentioned, any WordPress site running the vulnerable WPFunnels plugin without appropriate patches is at risk. The financial and reputational damage from a complete site takeover can be substantial.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-15103 immediately by updating the &quot;WPFunnels - Funnel Builder for WooCommerce with Checkout &amp; One Click Upsell&quot; plugin to version 3.12.9 or newer on all affected WordPress installations.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect suspicious REST API calls attempting to modify the <code>wp_user_roles</code> option.</li>
<li>Review webserver access logs for anomalous <code>POST</code> requests to the <code>/wp-json/wp-funnels/v1/settings/update-settings/wp_user_roles</code> endpoint.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>privilege-escalation</category><category>wordpress</category><category>plugin</category></item></channel></rss>