Description
The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-11-08
Score: 6.5 Medium
EPSS: 1.0% Low
KEV: No
Impact: Arbitrary file deletion enabling possible remote code execution
Action: Apply Patch
AI Analysis

Impact

The WPFunnels plugin allows an authenticated administrator to delete any file on the server because the file path is not validated in the wpfnl_delete_log() function. The attacker can target critical system files such as wp-config.php, which can lead to remote code execution if the configuration file is removed or tampered with. The weakness is a classic path‑traversal flaw (CWE‑22) and requires administrative credentials to exploit.

Affected Systems

The vulnerability affects the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin from the getwpfunnels vendor. All releases up to and including 3.6.2 are impacted; newer releases are expected to have fixed the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but it remains exploitable by authenticated users with administrator rights, which is a common role in many WordPress sites. The path traversal flaw enables deletion of arbitrary files, making the potential impact high if vital configuration files are removed.

Generated by OpenCVE AI on April 21, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPFunnels plugin to the latest version (≥3.6.3).
  • Restrict folder permissions so that non‑privileged users cannot delete critical configuration files.
  • Limit administrator‑level accounts and enforce least‑privilege practices for users who can access WordPress admin.

Generated by OpenCVE AI on April 21, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels wpfunnels
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels wpfunnels
Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title WPFunnels <= 3.6.2 - Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Getwpfunnels Wpfunnels
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:08.002Z

Reserved: 2025-10-20T21:28:29.626Z

Link: CVE-2025-12000

cve-icon Vulnrichment

Updated: 2025-11-10T14:07:26.864Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:43.753

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses