Skip to main content

WPFunnels WooCommerce Plugin Unauthenticated Log Injection Leads to Remote Code Execution (CVE-2026-14345)

Scope: WPFunnels Funnel Builder for WooCommerce Plugin Versions up to and Including 3.12.7

Severity: Red

A critical remote code execution vulnerability (CVSS 9.8) in the WPFunnels WordPress plugin, disclosed July 7, 2026, allows unauthenticated attackers to inject arbitrary PHP code into the plugin's log file via the publicly exposed postData parameter, whose security nonce is broadcast on every funnel step page rather than being properly restricted. The injected PHP code executes with web server privileges the moment any administrator opens the plugin's log viewing interface, a routine and expected administrative activity, making the second-stage trigger reliable without any social engineering. Organizations running WooCommerce stores with WPFunnels must update to version 3.12.8 or later immediately; where patching is delayed, disable the plugin's logging feature via Log Settings, and audit existing log files for injected PHP content including <?php tags and eval() calls as indicators of prior exploitation.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.