This text was generated using artificial intelligence (AI).On July 7, 2026, a critical vulnerability was discovered in the WordPress plugin WPFunnels published, which have a CVSS score of 9.8 has been assessed. The gap, documented as CVE-2026-14345 (according to Wordfence CNA), this vulnerability allows attackers to execute arbitrary code on the server (Remote Code Execution, RCE). All plugin versions up to and including 3.12.7 are affected. A security update to version 3.12.8 is available and should be installed immediately.
Affected software: WPFunnels – Funnel Builder for WooCommerce
Affected versions: All versions up to and including 3.12.7
Type of gap: Remote Code Execution (RCE)
Fixed version: 3.12.8 (published on July 6, 2026)
Technical Analysis of the Vulnerability
The Vulnerability CVE-2026-14345 This is caused by insufficient validation of input data in the plugin's logging function. The attack occurs in two phases:
Code injection (unauthenticated): An attacker can inject specially crafted PHP code via the postData-Send parameters to the system. The plugin writes this input unfiltered to a log file with the extension .log. Although a nonce token is required for this action, it is issued on every public page of a sales funnel. This allows this step to be performed without prior authentication.
Code execution (administrator-controlled): The malicious code is actually executed when an administrator accesses the log files through the plugin's user interface. In this process, the tampered log file is loaded using the PHP function include_once loaded, and the PHP code it contains is executed in the context of the web server.
Although the final step requires administrator interaction, unauthenticated injection allows attackers to prepare the malicious code and wait for an opportune moment to execute it.
Risk Assessment and Business Impact
Successful exploitation of this RCE vulnerability can lead to the complete compromise of the website. Since WPFunnels is frequently used in e-commerce environments with WooCommerce, the potential consequences are serious:
Data Theft: Leakage of sensitive customer and payment data.
System Takeover: Attackers can take control of the server to launch further attacks or spread malware.
Loss of integrity: Tampering with web content, prices, or orders.
Damage to reputation: Loss of trust among customers and business partners.
Operators of WooCommerce stores in the EU must file a report in accordance with GDPR Art. 33 report to the relevant data protection supervisory authority within 72 hours. Under NIS-2 Operators of essential or important facilities may be subject to additional, more stringent reporting requirements and risk mitigation measures. The BSI generally recommends installing security updates for critical vulnerabilities without delay.
It should also be noted that WPFunnels will already be available in April 2026 with CVE-2026-0626 (Stored Cross-Site Scripting in versions up to and including 3.7.9) was affected by a publicly reported vulnerability. The RCE vulnerability that has now been disclosed is the second critical vulnerability in this plugin within three months—a fact that underscores the third-party risk associated with this plugin.
Recommended Actions
Companies using the WPFunnels plugin should take the following steps immediately:
Immediate action: Update the WPFunnels-Upgrade plugins to version 3.12.8 or later. This is the most effective way to fix the vulnerability.
Alternative containment: If an immediate update is not possible, disable the logging feature in the plugin settings („Enable Logs“) to block the attack vector.
Short-term exam: Check the server logs for suspicious access to the plugin's log view and examine the WPFunnels log files for signs of tampering.
How External Attack Surface Management (EASM) Helps
Vulnerabilities such as CVE-2026-14345 highlight the need to continuously monitor one’s own external attack surface. Often, companies are not aware of all the software components they use—especially on marketing websites, in test environments, or on forgotten subdomains (shadow IT).
An EASM platform such as LocateRisk supports this process on several levels:
Inventory: LocateRisk continuously identifies all externally accessible systems, including publicly accessible WordPress installations and previously unknown shadow IT. This allows you to quickly identify where WordPress instances are running within your infrastructure—even in areas where systems aren’t centrally tracked—and to specifically verify their version status.
Vulnerability Detection: The platform detects known vulnerabilities in the identified components and enables rapid risk assessment and prioritization of necessary updates.
Continuous vulnerability monitoring: Every installed plugin increases your attack surface. LocateRisk continuously monitors your publicly accessible web assets and alerts you to exposed, outdated components—even in cases of recurring vulnerabilities from the same vendor.
Automated monitoring of the attack surface can significantly reduce the time between the disclosure of a vulnerability and its resolution within your organization.
Continuous monitoring of your external IT systems is a fundamental component of cyber defense. LocateRisk helps you identify exposed and potentially vulnerable systems early on and reduce the risk of exploitation.
All versions of the plugin up to and including 3.12.7 are affected by the CVE-2026-14345 vulnerability. The vulnerability was fixed with the release of version 3.12.8 on July 6, 2026.
Due to the critical CVSS score of 9.8, this update is considered very urgent. Attackers can take the first step toward compromising the system—code injection via the postData-Parameter — Perform without authentication, since the required nonce token is displayed on every public Funnel page.
As of the publication of this article, Wordfence reports no active exploits. However, experience has shown that attackers begin conducting automated scans for vulnerable systems shortly after critical vulnerabilities are disclosed, which is why an immediate update is recommended.
CVE Quick Check
In just a few minutes, check whether there are any indications of a current CVE on your externally visible attack surface.
A rough estimate in just a few minutes via email.
Learn more during a free consultation with a LocateRisk consultant.
You'll receive this by email
companyYour Company, LLC
Verified CVECVE-2024-3094
Passive Assessment
Information About the CVENotes found
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.