SYS::ONLINE
Wasteland.
Briefs1115
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-14345 2026-07-07

WPFunnels RCE: Unauthenticated Code Execution via Poisoned Log File (CVE-2026-14345)

"A high-severity (CVSS 8.8) flaw in the WPFunnels WordPress plugin lets unauthenticated attackers plant PHP code that executes when an administrator later opens the affected log file."

A high-severity (CVSS 8.8) flaw in the WPFunnels WordPress plugin lets unauthenticated attackers plant PHP code that executes when an administrator later opens the affected log file.

What Is It

CVE-2026-14345 is a Remote Code Execution vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress. Attacker-controlled postData values are written unsanitized into a PHP-includeable .log file, and the plugin then renders that file with include_once inside wpfnl_show_log. Because the injected content is treated as PHP when the file is included, an attacker can achieve code execution on the server. It is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).

Why It Matters

The injection step is fully unauthenticated: the nonce required to reach the optin endpoint is publicly emitted on every funnel step page, so no login is needed to poison the log. Code execution is not immediate, however; it triggers only when the Log Settings "Enable Logs" toggle is on and an administrator subsequently opens the polluted log file via the plugin's Log Settings View UI. Because that final step depends on a victim action, the CVSS vector is AV:N/AC:L/PR:N/UI:R: network reachable, low complexity, and no privileges required, but requiring user interaction (an admin viewing the log), with High impact to confidentiality, integrity, and availability.

What's Vulnerable

No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed by KEV at this time.

Patch Status

NVD lists the vulnerability status as Deferred. The referenced WordPress plugin changeset compares tags 3.12.7 to 3.12.8, indicating the fix landed in version 3.12.8. Site operators running 3.12.7 or earlier should update to the patched release.

Sources