Skip to main content

FunnelFormsPro CVE-2026-39440

| EUVDEUVD-2026-25220 CRITICAL
Code Injection (CWE-94)
2026-04-23 Patchstack
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 23, 2026 - 13:22 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 13:15 vuln.today
EUVD ID Assigned
Apr 23, 2026 - 12:45 euvd
EUVD-2026-25220
Analysis Generated
Apr 23, 2026 - 12:45 vuln.today
CVE Published
Apr 23, 2026 - 12:11 nvd
CRITICAL 9.9

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.

AnalysisAI

Remote code execution in FunnelFormsPro WordPress plugin (versions up to 3.8.1) allows authenticated attackers to inject and execute arbitrary code on vulnerable servers. The CVSS 9.9 Critical rating reflects the scope change (S:C) and complete system compromise (C:H/I:H/A:H). Exploitation requires low-privilege authentication (PR:L) but no user interaction, making it exploitable by subscriber-level WordPress accounts. EPSS and KEV status not provided in available data, limiting real-world exploitation confidence assessment.

Technical ContextAI

FunnelFormsPro is a WordPress form builder plugin developed by Funnelforms LLC, identified by CPE cpe:2.3:a:funnelforms_llc:funnelformspro. The vulnerability stems from CWE-94 (Improper Control of Generation of Code), indicating the plugin fails to properly sanitize or validate user-supplied input before using it in dynamic code generation or evaluation contexts. This typically occurs when plugins use PHP functions like eval(), create_function(), or deserialize untrusted data without proper validation. The WordPress plugin architecture grants authenticated users varying privilege levels, and this vulnerability's PR:L requirement suggests even low-privileged accounts can trigger the code injection. The scope change (S:C) in the CVSS vector indicates the vulnerable component's privileges differ from the impacted component, meaning code executes beyond the plugin's intended security boundary, likely at the web server or WordPress core privilege level.

RemediationAI

Primary remediation: Immediately check for FunnelFormsPro plugin updates beyond version 3.8.1 in the WordPress admin dashboard under Plugins > Installed Plugins, or consult Funnelforms LLC vendor communications. No specific patched version number is confirmed in the provided data - contact the vendor directly at Funnelforms LLC or monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability) for update notifications. Compensating controls if patch unavailable: (1) Disable FunnelFormsPro plugin entirely until patched version released - this breaks form functionality but eliminates RCE risk; (2) Disable new user registration in WordPress Settings > General > Membership (set 'Anyone can register' to unchecked) to prevent attacker account creation, though this doesn't protect against compromised existing accounts; (3) Implement Web Application Firewall (WAF) rules to inspect and block POST requests to FunnelFormsPro endpoints containing suspicious PHP functions (eval, base64_decode, system, exec) - beware this may cause false positives with legitimate form submissions; (4) Restrict plugin access to administrator roles only using a role management plugin, though this may break intended user workflows. Each workaround trades functionality for security - option 1 provides strongest protection but complete feature loss.

Share

CVE-2026-39440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy