CVE-2026-14345
Received Received - Intake

WPFunnels Plugin Remote Code Execution via Log File Inclusion

Vulnerability report for CVE-2026-14345, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Wordfence

Description

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values into a PHP-includeable .log file combined with the use of include_once to render that file in wpfnl_show_log. This makes it possible for unauthenticated attackers to execute code on the server. Exploitation requires that the Log Settings "Enable Logs" toggle is on and that an administrator subsequently opens the polluted log file via the plugin's Log Settings View UI; however, the nonce required to reach the optin endpoint is publicly emitted on every funnel step page, so the injection step itself is fully unauthenticated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpfunnels funnel_builder_for_woocommerce to 3.12.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution (RCE) in all versions up to and including 3.12.7. This vulnerability arises because attacker-controlled data sent via the 'postData' parameter is unsanitized and written into a PHP-includeable .log file. The plugin then uses include_once to render this log file in the wpfnl_show_log function. An unauthenticated attacker can exploit this by injecting malicious code into the log file when the 'Enable Logs' setting is turned on. The attack requires that an administrator later opens the compromised log file through the plugin's Log Settings View UI, which triggers the execution of the injected code. The injection step itself does not require authentication because the nonce needed to reach the optin endpoint is publicly available on every funnel step page.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated remote attackers to execute arbitrary code on the server hosting the WordPress site. This can lead to full compromise of the server, including unauthorized access to sensitive data, modification or deletion of data, installation of malware, and disruption of services. Because the attack requires an administrator to open the polluted log file, it also exploits trust and administrative actions, potentially leading to a complete takeover of the affected system.

Detection Guidance

Detection of this vulnerability involves checking if the WPFunnels – Funnel Builder for WooCommerce plugin version is up to and including 3.12.7 and if the Log Settings "Enable Logs" toggle is enabled.

Since exploitation requires injection into a PHP-includeable .log file via the 'postData' parameter, monitoring HTTP requests for unusual or suspicious 'postData' values could help detect attempts.

Additionally, reviewing the plugin's log files for unexpected or malicious PHP code snippets may indicate exploitation.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include disabling the Log Settings "Enable Logs" toggle in the WPFunnels plugin to prevent the creation of vulnerable log files.

Updating the WPFunnels plugin to a version later than 3.12.7 where this vulnerability is fixed is strongly recommended.

Avoid opening the plugin's Log Settings View UI until the vulnerability is patched or logs are confirmed clean, as opening polluted log files triggers code execution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14345. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart