oM noM Security Feeds cve
vulnerability context

CVE-2026-14345

CVSS 9.8 CRITICALCWE-434

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values into a PHP-includeable .log file combined with the use of include_once to render that file in wpfnl_show_log. This makes it possible for unauthenticated attackers to execute code on the server. Exploitation requires that the Log Settings "Enable Logs" toggle is on and that an administrator subsequent...

Published 2026-07-07

details

CISA KEV status
Not in catalog
CVSS v3
9.8 / CRITICAL
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-434
OTX pulses
0 total, 0 recent

source mentions 2

source consensus

  • Bluesky
Want the 3-bullet summary of CVE-2026-14345, plus webhook alerts when KEV is updated? Pro is $10/mo.