External risk intelligence

WPFunnels WooCommerce Plugin Unauthenticated Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-14345

The vulnerability exists in a WordPress plugin designed for e-commerce and funnel building. Such plugins are typically deployed on public-facing websites to handle customer traffic, transactions, and user interactions, making the associated web application surface commonly reachable from the internet.

Unrestricted File Upload

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the WPFunnels – Funnel Builder for WooCommerce plugin, which could allow unauthenticated attackers to execute arbitrary code on your WordPress servers. This issue stems from how the plugin handles log data, potentially enabling attackers to inject malicious code that executes when administrator-level logs are viewed. While exploitation requires specific conditions, the unauthenticated nature of the initial injection vector is a significant concern.

  • Unauthenticated code execution via plugin logs.
  • Critical risk for public-facing e-commerce sites.
  • Confirm relevance and any potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by injecting malicious code through the 'postData' parameter of the WPFunnels plugin. This code is then written to a log file and later included by the plugin, leading to remote code execution on the server. The initial injection does not require any authentication, but exploitation is contingent on the logging feature being enabled and an administrator later viewing the log file through the plugin's interface.

  • Requires network access to the site.
  • Log settings enabled, admin views log file.
  • Unauthenticated remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When the plugin's logging is enabled and an administrator views the log file, unauthenticated attackers could execute arbitrary code on the server by manipulating the 'postData' parameter to write malicious content into a log file that is subsequently included by the application.

  • Server-side code execution.
  • Attacker-controlled data written to log file.
  • Compromise of the web server.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in a WordPress plugin necessitates immediate attention from the application owner and infrastructure team. The first practical step is to locate all instances of the affected plugin, confirm their reachability and business criticality, and identify the accountable owner for each instance before planning remediation.

  • Application owners should take primary responsibility.
  • Verify plugin usage and administrator enablement of logs.
  • Plan remediation and coordinate with the vendor.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the WPFunnels plugin for WordPress?

WPFunnels is a specialized marketing plugin for WordPress designed to help WooCommerce store owners create custom sales funnels. It manages customer journeys, checkout paths, and upsell sequences. Because it integrates directly into the e-commerce checkout flow, it is a core component for sites selling products online that need to track visitor interactions and optimize conversion rates.

What does CWE-434 mean regarding CVE-2026-14345?

CWE-434 refers to Unrestricted Upload of File with Dangerous Type. In this CVE, the plugin fails to properly clean data sent to it, allowing that data to be written into a log file. Because the application later uses a PHP command to include and process that log file, an attacker can essentially hide malicious code inside the log. When the system reads the log, it executes that hidden code instead of just treating it as plain text.

Do I need to be logged in to trigger this vulnerability?

No. The initial injection of malicious data into the log file can be performed by an unauthenticated attacker, meaning no account is required to start the attack. However, the code will not execute just by sending the data. The vulnerability only triggers if the plugin's 'Enable Logs' setting is turned on and an administrator later views the compromised log file through the plugin's internal settings interface.

Why should I care about this CVE if I run a website?

According to Halo Surface Signal, this plugin is frequently used on public-facing websites to manage customer traffic and transactions, meaning the application surface is easily reachable from the internet. Even though the final execution requires an administrator action, the ability for an outsider to inject code into your server's logs represents a high-risk security gap for any e-commerce operation.

How do I start addressing this issue?

Begin by auditing your WordPress environment to identify if you have the WPFunnels plugin installed and which versions are running. Verify the status of the 'Enable Logs' toggle within the plugin settings. If the feature is active, consider disabling it immediately while you coordinate with your team to review the vendor's updates and plan a migration to a patched version of the software.

References