Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
Published: 2026-04-23
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Improper Control of Generation of Code flaw that allows an attacker to remotely include arbitrary code within the FunnelFormsPro plugin. Because the plugin can process user input without adequate sanitization, an attacker can inject code that will be executed by the server. This provides an attacker with the potential to compromise the entire hosting environment, exfiltrate confidential data, or establish persistence, representing a critical confidentiality, integrity, and availability impact.

Affected Systems

Funnelforms LLC’s FunnelFormsPro plugin for WordPress, all versions from the earliest release through 3.8.1, is affected. The plugin is typically installed in WordPress sites that rely on funnel or form functionalities.

Risk and Exploitability

With a CVSS score of 9.9, the technical severity is extremely high. The EPSS score of less than 1% indicates that, at the time of assessment, the probability of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed active exploitation. However, the remote nature of the flaw means that any WordPress site running an affected version is susceptible if an attacker can supply crafted input; this inference is based on the plugin’s exposure via HTTP requests. The threat remains high due to the potential for total compromise, and the risk persists until a patch or mitigation is applied.

Generated by OpenCVE AI on April 28, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FunnelFormsPro to the latest available version (any release after 3.8.1).
  • If an upgrade is not immediately feasible, disable or remove the FunnelFormsPro plugin from the WordPress installation to block the attack surface.
  • Consider restricting file execution privileges for plugin directories and applying web application firewall rules to block suspicious code injection patterns until a formal patch is deployed.

Generated by OpenCVE AI on April 28, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Funnelforms
Funnelforms funnelforms
Wordpress
Wordpress wordpress
Vendors & Products Funnelforms
Funnelforms funnelforms
Wordpress
Wordpress wordpress

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
Title WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Funnelforms Funnelforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T13:39:41.336Z

Reserved: 2026-04-07T08:24:21.369Z

Link: CVE-2026-39440

cve-icon Vulnrichment

Updated: 2026-04-23T13:38:46.105Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T13:16:11.893

Modified: 2026-04-23T14:28:55.557

Link: CVE-2026-39440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses