mediumCVE-2026-13080

WPFunnels WordPress Plugin Local File Inclusion Vulnerability

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.12.7 via the 'logKey' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

ProductWPFunnels
CVSS6.6
EPSS0.0071
UpdatedJuly 10, 2026

Quick answer

WPFunnels should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • WPFunnels up to and including 3.12.7

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

WPFunnels is affected by CVE-2026-13080. Versions up to 3.12.7 allow local file inclusion through a plugin parameter: administrator-level users can include arbitrary PHP files through the logKey parameter. Patch the plugin and verify no attacker-controlled PHP files are present.

  1. Inventory WordPress and WooCommerce sites using WPFunnels.
  2. Update WPFunnels beyond 3.12.7 when a vendor-fixed release is available.
  3. Restrict the affected log or admin endpoint to trusted administrators until patched.
  4. Search uploads, logs, cache, and plugin directories for unexpected PHP files that could be included.
  5. Harden file permissions so web users cannot write executable files into includeable paths.
  6. Review web logs for logKey traversal or inclusion attempts.
  7. Restore from trusted backups and rotate credentials if code execution is suspected.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm WPFunnels is no longer version 3.12.7 or older.
  • Test a safe invalid logKey value in staging and confirm arbitrary file paths are rejected.
  • Run file integrity checks for WordPress core, plugins, themes, uploads, and logs.
  • Confirm legitimate funnel logging and admin features still work after remediation.
  • Run a Fixnx scan and verify public WordPress exposure after cleanup.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-13080?

WPFunnels versions listed as affected should be reviewed: WPFunnels up to and including 3.12.7.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.