CVE-2026-15103
Received Received - Intake

Privilege Escalation in WPFunnels WordPress Plugin

Vulnerability report for CVE-2026-15103, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option β€” which satisfies the route's loose `[\w-]+` regex β€” to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpfunnels funnel_builder_for_woocommerce to 3.12.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a privilege escalation flaw in the WPFunnels plugin for WordPress. It allows authenticated attackers with the 'wpf_manage_funnels' capability to update the 'wp_user_roles' option, which defines WordPress user roles and capabilities. By exploiting this, attackers can grant themselves administrator privileges and gain full control of the site.

Detection Guidance

Check for unauthorized changes to the wp_user_roles option in the WordPress database. Use commands like: wp option get wp_user_roles to inspect roles or grep for suspicious role definitions in the database.

Impact Analysis

If you use the WPFunnels plugin with versions up to 3.12.8, an attacker with minimal access could escalate their privileges to administrator. This could lead to complete site takeover, data theft, unauthorized modifications, or installation of malicious code. The impact depends on the attacker's goals and the site's importance.

Compliance Impact

This vulnerability could severely impact compliance. A site takeover could result in unauthorized access to sensitive user data, violating GDPR or HIPAA requirements for data protection and access control. Organizations may face legal penalties, reputational damage, and loss of trust due to non-compliance.

Mitigation Strategies

Update the WPFunnels plugin to the latest version beyond 3.12.8. If an update is unavailable, restrict access to the update_settings() REST callback or disable the plugin until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart