The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.
WPFunnels <= 3.12.8 - Authenticated (Funnel Manager+) Privilege Escalation via 'group_id' Path Parameter
Problem type
Affected products
getwpfunnels
<= 3.12.8 - AFFECTED
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/76ad6d21-f277-496f-aa6b-f9d5cb8a3801?source=cve
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L462
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L66
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L40
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/utils/class-wpfnl-functions.php#L1216
https://plugins.trac.wordpress.org/changeset?reponame=&old=3607181%40wpfunnels&new=3607181%40wpfunnels
GitHub Security Advisories
GHSA-qq4q-jv8x-6fjm
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for...
https://github.com/advisories/GHSA-qq4q-jv8x-6fjmThe WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the update_settings() REST callback failing to validate the group_id path parameter against an allowlist of permitted option names before passing it directly to get_option() and update_option(), allowing the built-in wp_user_roles option — which satisfies the route's loose [\w-]+ regex — to be targeted. This makes it possible for authenticated attackers with the wpf_manage_funnels capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the wp_user_roles option, thereby granting any WordPress role full site administrator access. The wpf_manage_funnels capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2026-15103
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L40
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L462
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L66
https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/utils/class-wpfnl-functions.php#L1216
https://plugins.trac.wordpress.org/changeset?reponame=&old=3607181%40wpfunnels&new=3607181%40wpfunnels
https://www.wordfence.com/threat-intel/vulnerabilities/id/76ad6d21-f277-496f-aa6b-f9d5cb8a3801?source=cve
https://github.com/advisories/GHSA-qq4q-jv8x-6fjm
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-15103Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-15103",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"dateUpdated": "2026-07-16T08:26:50.831Z",
"dateReserved": "2026-07-08T16:58:02.760Z",
"datePublished": "2026-07-16T08:26:50.831Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2026-07-16T08:26:50.831Z"
},
"title": "WPFunnels <= 3.12.8 - Authenticated (Funnel Manager+) Privilege Escalation via 'group_id' Path Parameter",
"descriptions": [
{
"lang": "en",
"value": "The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability."
}
],
"affected": [
{
"vendor": "getwpfunnels",
"product": "WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "3.12.8"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-269 Improper Privilege Management",
"cweId": "CWE-269",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76ad6d21-f277-496f-aa6b-f9d5cb8a3801?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L462"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/utils/class-wpfnl-functions.php#L1216"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=&old=3607181%40wpfunnels&new=3607181%40wpfunnels"
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 8.8,
"baseSeverity": "HIGH"
}
}
],
"timeline": [
{
"time": "2026-07-08T17:13:14.000Z",
"lang": "en",
"value": "Vendor Notified"
},
{
"time": "2026-07-15T20:13:20.000Z",
"lang": "en",
"value": "Disclosed"
}
],
"credits": [
{
"lang": "en",
"value": "PRISM",
"type": "finder"
}
]
}
}
}