The vulnerability exists because the WPFunnels plugin trusts a user‑controlled setting called 'optin_allow_registration' to decide whether new users may register. When this flag is set to true, the plugin skips the site‑wide registration restriction and allows any visitor to create an account without authentication. This is a privilege escalation flaw (CWE‑639) that enables attackers to generate accounts that could be used for spam, phishing, or further exploitation of the WordPress site.

The affected product is the WordPress plugin WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell, versions up to and including 3.6.2. Sites that have installed any of these versions are susceptible; no other vendors or product lines are listed.

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is less than 1 %, showing that exploitation is unlikely to be seen widely, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the most probable attack path requires an unauthenticated user to submit a registration request that includes 'optin_allow_registration' set to a truthy value; no special privileges are needed. If a site protects itself by disabling WordPress registration or limiting account creation, the impact is mitigated but the flaw remains present if the plugin logic is not updated.