PT-2026-60439 · WordPress · Wpfunnels
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell versions prior to 3.12.9
Description
An issue exists allowing privilege escalation through an arbitrary option update. The
update settings() REST callback fails to validate the group id path parameter against an allowlist of permitted option names before passing it to get option() and update option(). Because the route uses a loose [w-]+ regex, the wp user roles option can be targeted. Authenticated attackers with the wpf manage funnels capability—typically assigned to the Funnel Manager role—can write a crafted role definition into the wp user roles option to grant any WordPress role full site administrator access.Recommendations
Update the plugin to version 3.12.9 or later.
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wpfunnels