Skip to main content

Wpfunnels Funnel Builder For Woocommerce With Checkout One Click Upsell

2 CVEs product

Monthly

CVE-2026-15103 HIGH This Week

Privilege escalation in the WPFunnels (Funnel Builder for WooCommerce) plugin for WordPress lets authenticated users holding the wpf_manage_funnels capability — typically the plugin's Funnel Manager custom role — rewrite the global wp_user_roles option and grant their own role full administrator capabilities. All versions up to and including 3.12.8 are affected, and Wordfence rates it CVSS 8.8 (High). No public exploit has been identified at time of analysis, but the root cause is trivial (an unvalidated option name reaching update_option()), making reliable weaponization straightforward for a low-privileged insider.

Privilege Escalation WordPress Wpfunnels Funnel Builder For Woocommerce With Checkout One Click Upsell
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13080 MEDIUM This Month

Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.

WordPress LFI RCE PHP Information Disclosure +1
NVD
CVSS 3.1
6.6
EPSS
0.7%
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the WPFunnels (Funnel Builder for WooCommerce) plugin for WordPress lets authenticated users holding the wpf_manage_funnels capability — typically the plugin's Funnel Manager custom role — rewrite the global wp_user_roles option and grant their own role full administrator capabilities. All versions up to and including 3.12.8 are affected, and Wordfence rates it CVSS 8.8 (High). No public exploit has been identified at time of analysis, but the root cause is trivial (an unvalidated option name reaching update_option()), making reliable weaponization straightforward for a low-privileged insider.

Privilege Escalation WordPress Wpfunnels Funnel Builder For Woocommerce With Checkout One Click Upsell
NVD VulDB
EPSS 1% CVSS 6.6
MEDIUM This Month

Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.

WordPress LFI RCE +3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy