<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WPFunnels - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/wpfunnels/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 06:22:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/wpfunnels/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14345: Unauthenticated Remote Code Execution in WPFunnels WordPress Plugin</title><link>https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-rce/</link><pubDate>Tue, 07 Jul 2026 06:22:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wpfunnels-rce/</guid><description>An unauthenticated remote code execution vulnerability (CVE-2026-14345) exists in the WPFunnels – Funnel Builder for WooCommerce with Checkout &amp; One Click Upsell plugin for WordPress, affecting versions up to and including 3.12.7, allowing attackers to inject malicious PHP code into a log file via the 'postData' parameter, which is then executed when an administrator views the log.</description><content:encoded><![CDATA[<p>A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-14345, has been identified in the WPFunnels – Funnel Builder for WooCommerce with Checkout &amp; One Click Upsell plugin for WordPress, impacting all versions up to and including 3.12.7. This flaw allows unauthenticated attackers to execute arbitrary code on the server by exploiting an unsanitized write of attacker-controlled data from the 'postData' parameter into a PHP-includeable <code>.log</code> file. The vulnerability is triggered when an administrator subsequently views the polluted log file via the plugin's Log Settings View UI, leading to the execution of the injected code via <code>include_once</code>. While this requires the &quot;Enable Logs&quot; setting to be active and an administrator viewing the log, the nonce needed for the initial injection step is publicly exposed on every funnel step page, making the initial code injection fully unauthenticated.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site utilizing a vulnerable version (&lt;= 3.12.7) of the WPFunnels plugin, where the &quot;Enable Logs&quot; setting is active.</li>
<li>The attacker accesses any publicly available funnel step page on the target WordPress site to harvest the nonce, which is publicly emitted and required for the next step.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the plugin's &quot;optin endpoint,&quot; embedding PHP code within the 'postData' parameter, along with the previously retrieved nonce.</li>
<li>Due to improper input sanitization, the vulnerable WPFunnels plugin writes the attacker-controlled 'postData', including the malicious PHP code, directly into a PHP-includeable <code>.log</code> file on the web server's filesystem.</li>
<li>An administrator of the WordPress site later navigates to the WPFunnels plugin's Log Settings View UI within the WordPress administrative dashboard, potentially for routine monitoring or troubleshooting.</li>
<li>Upon viewing the logs, the plugin's <code>wpfnl_show_log</code> function uses <code>include_once</code> to render the content of the polluted <code>.log</code> file.</li>
<li>The <code>include_once</code> call executes the malicious PHP code previously injected by the attacker, leading to unauthenticated Remote Code Execution on the underlying web server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14345 results in unauthenticated Remote Code Execution (RCE) on the vulnerable WordPress web server. This provides attackers with full control over the compromised server, enabling them to deface the website, inject malware, exfiltrate sensitive data, establish persistence, or use the server as a pivot point for further attacks on the internal network. The CVSS v3.1 base score of 9.8 indicates a critical severity, highlighting the ease of exploitation and significant potential for damage, impacting any organization running the affected plugin versions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-14345 immediately by updating the &quot;WPFunnels – Funnel Builder for WooCommerce with Checkout &amp; One Click Upsell plugin&quot; to a version greater than 3.12.7.</li>
<li>Review WordPress <code>webserver</code> access logs for unusual POST requests targeting plugin-related &quot;optin endpoints&quot; that might contain suspicious data in the request body, indicating exploitation attempts for CVE-2026-14345.</li>
<li>Monitor file integrity and changes within the <code>wp-content/plugins/wpfunnels/</code> directory, specifically looking for unexpected modifications or creations of <code>.log</code> or <code>.php</code> files.</li>
<li>If the plugin's &quot;Enable Logs&quot; setting is not essential for operational requirements, consider disabling it to eliminate the log file pollution vector associated with CVE-2026-14345.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web-exploit</category><category>rce</category><category>wordpress</category><category>plugin-vulnerability</category></item></channel></rss>