Live Exposure Defense: From CVE to Confirmed Exposure in 12 Hours – See more

New CVE Detected

CVE-2026-14345 – Unauthenticated Remote Code Execution – WPFunnels WordPress Plugin up to 3.12.7

Be the first to know when new zero-days emerge:

Summary

CVE-2026-14345 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell WordPress plugin, affecting all versions up to and including 3.12.7. Scored CVSS 9.8 (Critical), this flaw enables a remote unauthenticated attacker to inject arbitrary PHP code into a server-side log file, which is subsequently executed when an administrator accesses the plugin’s log view. A patched release, version 3.12.8, is available and immediate upgrade is strongly recommended.

Technical details

  • Root cause: The plugin fails to sanitize attacker-controlled values supplied via the postData parameter before writing them to a PHP-includeable .log file. The wpfnl_show_log function later renders this file via include_once, causing any embedded PHP code to execute in the server context.
  • Unauthenticated injection: The nonce required to reach the vulnerable optin endpoint is publicly emitted on every funnel step page, making the log-poisoning step completely unauthenticated — no credentials or session are required for the initial attack.
  • Trigger conditions: Full code execution requires that the plugin’s Log Settings "Enable Logs" toggle is active, and that an administrator subsequently opens the poisoned log file through the plugin’s Log Settings View UI — a natural and routine administrative action.
  • Attack vector: Fully network-accessible; WordPress sites are inherently internet-facing and the plugin’s presence is detectable via the public asset path /wp-content/plugins/wpfunnels/.
  • Impact: Complete confidentiality, integrity, and availability compromise of the affected server — arbitrary PHP code runs with web-server process privileges.

Affected software

  • WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell (plugin slug: wpfunnels), all versions from 0 through 3.12.7 inclusive.

Severity

  • CVSS v3.1 Base Score: 9.8 (Critical)
  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Mitigation and recommended actions

  • Immediate: Update the WPFunnels plugin to version 3.12.8 or later, which contains the vendor-provided security fix. The patched version is available directly from the WordPress Plugin Repository.
  • If immediate patching is not possible: Disable the "Enable Logs" option in the plugin’s Log Settings. This prevents the vulnerable log-write path from being reached and eliminates the condition required for exploitation until the update can be applied.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

Subscribe to Threat Center RSS

Copy/paste the link below into your preferred RSS reader or follow these instructions to subscribe to Slack alerts.

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge