Summary
CVE-2026-14345 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell WordPress plugin, affecting all versions up to and including 3.12.7. Scored CVSS 9.8 (Critical), this flaw enables a remote unauthenticated attacker to inject arbitrary PHP code into a server-side log file, which is subsequently executed when an administrator accesses the plugin’s log view. A patched release, version 3.12.8, is available and immediate upgrade is strongly recommended.
Technical details
- Root cause: The plugin fails to sanitize attacker-controlled values supplied via the
postDataparameter before writing them to a PHP-includeable.logfile. Thewpfnl_show_logfunction later renders this file viainclude_once, causing any embedded PHP code to execute in the server context. - Unauthenticated injection: The nonce required to reach the vulnerable optin endpoint is publicly emitted on every funnel step page, making the log-poisoning step completely unauthenticated — no credentials or session are required for the initial attack.
- Trigger conditions: Full code execution requires that the plugin’s Log Settings "Enable Logs" toggle is active, and that an administrator subsequently opens the poisoned log file through the plugin’s Log Settings View UI — a natural and routine administrative action.
- Attack vector: Fully network-accessible; WordPress sites are inherently internet-facing and the plugin’s presence is detectable via the public asset path
/wp-content/plugins/wpfunnels/. - Impact: Complete confidentiality, integrity, and availability compromise of the affected server — arbitrary PHP code runs with web-server process privileges.
Affected software
- WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell (plugin slug:
wpfunnels), all versions from 0 through 3.12.7 inclusive.
Severity
- CVSS v3.1 Base Score: 9.8 (Critical)
- Vector string:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Mitigation and recommended actions
- Immediate: Update the WPFunnels plugin to version 3.12.8 or later, which contains the vendor-provided security fix. The patched version is available directly from the WordPress Plugin Repository.
- If immediate patching is not possible: Disable the "Enable Logs" option in the plugin’s Log Settings. This prevents the vulnerable log-write path from being reached and eliminates the condition required for exploitation until the update can be applied.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

