CVE-2026-3645

The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save config() function, which handles the 'punnel save config' AJAX action, lacks any capability check (current user can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff requests() at /?punnel api=1) — which only validates requests by comparing a POST token against the stored api key — to create, update, or delete arbitrary posts, pages, and products on the site.