CVE-2026-3645

Name of the Vulnerable Software and Affected Versions Punnel – Landing Page Builder plugin for WordPress versions through 1.3.1

Description The Punnel – Landing Page Builder plugin for WordPress is subject to a missing authorization issue. The save config() function, responsible for handling the 'punnel save config' AJAX action, does not include capability checks or nonce verification. This allows authenticated attackers with Subscriber-level access or higher to modify the plugin’s configuration, including the API key, through a POST request to the ''/admin-ajax.php'' endpoint. With access to the API key, attackers can leverage the plugin’s public API endpoint (''/?punnel api=1'')—which validates requests by comparing a POST token against the stored api key—to create, update, or delete arbitrary posts, pages, and products on the site.

Recommendations Versions prior to and including 1.3.1 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the 'punnel save config' AJAX action.