A high-severity (CVSS 8.8) flaw in the WPFunnels WordPress plugin lets unauthenticated attackers plant PHP code that executes when an administrator later opens the affected log file.
What Is It
CVE-2026-14345 is a Remote Code Execution vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress. Attacker-controlled postData values are written unsanitized into a PHP-includeable .log file, and the plugin then renders that file with include_once inside wpfnl_show_log. Because the injected content is treated as PHP when the file is included, an attacker can achieve code execution on the server. It is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Why It Matters
The injection step is fully unauthenticated: the nonce required to reach the optin endpoint is publicly emitted on every funnel step page, so no login is needed to poison the log. Code execution is not immediate, however; it triggers only when the Log Settings "Enable Logs" toggle is on and an administrator subsequently opens the polluted log file via the plugin's Log Settings View UI. Because that final step depends on a victim action, the CVSS vector is AV:N/AC:L/PR:N/UI:R: network reachable, low complexity, and no privileges required, but requiring user interaction (an admin viewing the log), with High impact to confidentiality, integrity, and availability.
What's Vulnerable
- Product: WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell (vendor: getwpfunnels)
- Affected versions: all versions up to and including 3.12.7
- Precondition for full exploitation: "Enable Logs" toggle active and an admin opening the polluted log via the Log Settings View UI
No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed by KEV at this time.
Patch Status
NVD lists the vulnerability status as Deferred. The referenced WordPress plugin changeset compares tags 3.12.7 to 3.12.8, indicating the fix landed in version 3.12.8. Site operators running 3.12.7 or earlier should update to the patched release.