CVE-2026-15103: CWE-269 Improper Privilege Management in getwpfunnels WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.
AI Analysis
Technical Summary
The WPFunnels plugin for WooCommerce is vulnerable to improper privilege management (CWE-269) due to insufficient validation in the update_settings() REST API endpoint. The group_id path parameter is not restricted to an allowlist, allowing an attacker with the wpf_manage_funnels capability to update the wp_user_roles option. By crafting a malicious role definition, the attacker can escalate their privileges to administrator, gaining full site control. This affects all versions up to and including 3.12.8. The vulnerability has a CVSS 3.1 score of 8.8 (high severity).
Potential Impact
An authenticated user with the wpf_manage_funnels capability (typically the Funnel Manager role) can escalate their privileges to administrator by modifying WordPress role definitions. This grants full administrative access to the site, compromising confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict the assignment of the wpf_manage_funnels capability to trusted users only. Monitor for updates from the vendor and apply official patches once released.
CVE-2026-15103: CWE-269 Improper Privilege Management in getwpfunnels WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
Description
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.
CVSS v3.1
Score 8.8high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WPFunnels plugin for WooCommerce is vulnerable to improper privilege management (CWE-269) due to insufficient validation in the update_settings() REST API endpoint. The group_id path parameter is not restricted to an allowlist, allowing an attacker with the wpf_manage_funnels capability to update the wp_user_roles option. By crafting a malicious role definition, the attacker can escalate their privileges to administrator, gaining full site control. This affects all versions up to and including 3.12.8. The vulnerability has a CVSS 3.1 score of 8.8 (high severity).
Potential Impact
An authenticated user with the wpf_manage_funnels capability (typically the Funnel Manager role) can escalate their privileges to administrator by modifying WordPress role definitions. This grants full administrative access to the site, compromising confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict the assignment of the wpf_manage_funnels capability to trusted users only. Monitor for updates from the vendor and apply official patches once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-07-08T16:58:02.760Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a589acd68715ace43b1c4a0
Added to database: 07/16/2026, 08:48:13 UTC
Last enriched: 07/16/2026, 09:02:53 UTC
Last updated: 07/16/2026, 19:47:30 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.