PT-2026-60439 · WordPress · Wpfunnels

·

CVE-2026-15103

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell versions prior to 3.12.9
Description An issue exists allowing privilege escalation through an arbitrary option update. The update settings() REST callback fails to validate the group id path parameter against an allowlist of permitted option names before passing it to get option() and update option(). Because the route uses a loose [w-]+ regex, the wp user roles option can be targeted. Authenticated attackers with the wpf manage funnels capability—typically assigned to the Funnel Manager role—can write a crafted role definition into the wp user roles option to grant any WordPress role full site administrator access.
Recommendations Update the plugin to version 3.12.9 or later.

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15103

Affected Products

Wpfunnels