Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
AnalysisAI
Remote code execution in FunnelFormsPro WordPress plugin (versions up to 3.8.1) allows authenticated attackers to inject and execute arbitrary code on vulnerable servers. The CVSS 9.9 Critical rating reflects the scope change (S:C) and complete system compromise (C:H/I:H/A:H). Exploitation requires low-privilege authentication (PR:L) but no user interaction, making it exploitable by subscriber-level WordPress accounts. EPSS and KEV status not provided in available data, limiting real-world exploitation confidence assessment.
Technical ContextAI
FunnelFormsPro is a WordPress form builder plugin developed by Funnelforms LLC, identified by CPE cpe:2.3:a:funnelforms_llc:funnelformspro. The vulnerability stems from CWE-94 (Improper Control of Generation of Code), indicating the plugin fails to properly sanitize or validate user-supplied input before using it in dynamic code generation or evaluation contexts. This typically occurs when plugins use PHP functions like eval(), create_function(), or deserialize untrusted data without proper validation. The WordPress plugin architecture grants authenticated users varying privilege levels, and this vulnerability's PR:L requirement suggests even low-privileged accounts can trigger the code injection. The scope change (S:C) in the CVSS vector indicates the vulnerable component's privileges differ from the impacted component, meaning code executes beyond the plugin's intended security boundary, likely at the web server or WordPress core privilege level.
RemediationAI
Primary remediation: Immediately check for FunnelFormsPro plugin updates beyond version 3.8.1 in the WordPress admin dashboard under Plugins > Installed Plugins, or consult Funnelforms LLC vendor communications. No specific patched version number is confirmed in the provided data - contact the vendor directly at Funnelforms LLC or monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability) for update notifications. Compensating controls if patch unavailable: (1) Disable FunnelFormsPro plugin entirely until patched version released - this breaks form functionality but eliminates RCE risk; (2) Disable new user registration in WordPress Settings > General > Membership (set 'Anyone can register' to unchecked) to prevent attacker account creation, though this doesn't protect against compromised existing accounts; (3) Implement Web Application Firewall (WAF) rules to inspect and block POST requests to FunnelFormsPro endpoints containing suspicious PHP functions (eval, base64_decode, system, exec) - beware this may cause false positives with legitimate form submissions; (4) Restrict plugin access to administrator roles only using a role management plugin, though this may break intended user workflows. Each workaround trades functionality for security - option 1 provides strongest protection but complete feature loss.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25220