The Punnel – Landing Page Builder plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2026-3645. The root cause lies in the save_config() function, which handles the 'punnel_save_config' AJAX action but lacks any capability checks (such as current_user_can()) and nonce verification. This flaw allows any authenticated user with at least Subscriber-level access to send a POST request to admin-ajax.php and overwrite the plugin’s entire configuration, including the critical API key. Since the API key is used to authenticate requests to the plugin’s public API endpoint (/?punnel_api=1), an attacker who sets this key can then perform unauthorized actions such as creating, updating, or deleting posts, pages, and products on the WordPress site. The API endpoint validates requests solely by comparing a POST token against the stored API key, which the attacker controls after exploitation. This vulnerability does not require elevated privileges beyond Subscriber, does not require user interaction, and can be exploited remotely over the network. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the lack of confidentiality impact but significant integrity impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of publication. The vulnerability affects all versions up to and including 1.3.1 of the plugin.

This vulnerability allows attackers with minimal privileges (Subscriber-level) to fully control the plugin’s configuration, including setting the API key, which then enables them to manipulate site content arbitrarily via the plugin’s public API. This can lead to unauthorized content creation, modification, or deletion, potentially defacing websites, injecting malicious content, or disrupting e-commerce operations if products are affected. Although confidentiality is not directly impacted, the integrity and availability of site content are at risk. Attackers could use this to undermine trust in the website, damage brand reputation, or facilitate further attacks such as phishing or malware distribution. Organizations relying on this plugin for landing page management or e-commerce should consider this a significant risk to site integrity and operational continuity.

Immediate mitigation steps include restricting access to the WordPress admin area to trusted users only and auditing user roles to ensure no unnecessary Subscriber-level accounts exist. Disable or remove the Punnel plugin if it is not essential. Monitor admin-ajax.php requests for suspicious POST activity related to 'punnel_save_config' and the public API endpoint '/?punnel_api=1'. Implement web application firewall (WAF) rules to block unauthorized POST requests to these endpoints from low-privilege users. Since no official patch is currently available, consider applying custom code to add capability checks (e.g., current_user_can('manage_options')) and nonce verification to the save_config() function to prevent unauthorized configuration changes. Regularly check for plugin updates or vendor advisories and apply patches promptly once released. Conduct thorough site integrity checks to detect unauthorized content changes and reset API keys if compromise is suspected.