Vulnerability Overview
A high-severity privilege escalation vulnerability (CVSS 8.8) has been identified in WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell, a popular WordPress plugin. The flaw, tracked as CVE-2026-15103, affects all versions up to and including 3.12.8.
Successful exploitation allows an authenticated attacker — as low-privileged as a subscriber — to update arbitrary WordPress site options, effectively granting themselves administrative access or altering core site configuration.
Technical Details
The vulnerability exists in the plugin's update_settings() REST API callback. The function fails to properly validate the group_id parameter before processing option updates. Because this REST endpoint lacks sufficient authorization checks tied to the incoming group_id, any authenticated user can craft a malicious request to modify options they should not have access to.
Vulnerability class: Improper authorization (CWE-285)
Attack vector: Network
Attack complexity: Low
Privileges required: Low (Subscriber-level WordPress account)
User interaction: None
CVSS v3.1 Score: 8.8 (High)
Impact
An attacker with even a basic subscriber account on the affected WordPress site can:
- Update arbitrary site options in the WordPress database
- Escalate privileges to administrator level by modifying user role options
- Modify critical site settings such as the site's admin email, default user role, or plugin configuration
- Achieve persistence by creating backdoor accounts or installing malicious code
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| WPFunnels – Funnel Builder for WooCommerce | All versions <= 3.12.8 | Update immediately |
Remediation
Immediate action: Update the WPFunnels plugin to the latest available version beyond 3.12.8. Check the WordPress plugin repository or your site's plugin management interface for the patched release.
If an immediate update is not possible:
- Disable the plugin temporarily until patching is feasible
- Restrict WordPress user registrations to prevent unauthorized account creation
- Audit site options for unexpected changes, particularly
default_roleand admin email settings - Review user accounts for unexpected privilege escalations
Detection
Monitor your WordPress site for:
- Unexpected REST API calls to WPFunnels endpoints from low-privileged accounts
- Changes to site options that do not correspond to legitimate administrative actions
- New administrator-level accounts appearing without explicit creation
- Entries in server logs showing
POSTrequests to/wp-json/from authenticated non-admin users
WordPress Plugin Security Best Practices
Privilege escalation flaws in WordPress plugins are among the most critical vulnerability classes because they can compromise entire sites with minimal attacker effort. Site owners should:
- Keep all plugins updated — enable auto-updates where possible for security releases
- Limit user registration — avoid open registration unless required by your use case
- Use a WordPress security scanner (Wordfence, Patchstack, or Solid Security) for continuous vulnerability monitoring
- Review REST API exposure — consider restricting unauthenticated REST API access where not needed
- Perform regular user audits — periodically review WordPress user accounts and their assigned roles