{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3645", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T16:19:32.782Z", "datePublished": "2026-03-21T03:27:00.329Z", "dateUpdated": "2026-04-08T17:17:34.312Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:34.312Z"}, "affected": [{"vendor": "punnel", "product": "Punnel \u2013 Landing Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Punnel \u2013 Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff_requests() at /?punnel_api=1) \u2014 which only validates requests by comparing a POST token against the stored api_key \u2014 to create, update, or delete arbitrary posts, pages, and products on the site."}], "title": "Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6f54ca4-297f-44e8-8bb3-25cdc52f94ff?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L410"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L410"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L403"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L403"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L179"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L179"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L118"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L118"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L156"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L156"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2026-03-20T15:09:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:55:38.136142Z", "id": "CVE-2026-3645", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:55:47.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3645", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:55:38.136142Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:55:43.529Z"}}], "cna": {"title": "Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "punnel", "product": "Punnel \u2013 Landing Page Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:09:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6f54ca4-297f-44e8-8bb3-25cdc52f94ff?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L410"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L410"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L403"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L403"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L179"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L179"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L118"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L118"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L156"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L156"}], "descriptions": [{"lang": "en", "value": "The Punnel \u2013 Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff_requests() at /?punnel_api=1) \u2014 which only validates requests by comparing a POST token against the stored api_key \u2014 to create, update, or delete arbitrary posts, pages, and products on the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:27:00.329Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3645", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:55:47.127Z", "dateReserved": "2026-03-06T16:19:32.782Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:00.329Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Punnel \u2013 Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff_requests() at /?punnel_api=1) \u2014 which only validates requests by comparing a POST token against the stored api_key \u2014 to create, update, or delete arbitrary posts, pages, and products on the site."}, {"lang": "es", "value": "El plugin Punnel \u2013 Landing Page Builder para WordPress es vulnerable a la falta de autorizaci\u00f3n en todas las versiones hasta la 1.3.1, inclusive. La funci\u00f3n save_config(), que maneja la acci\u00f3n AJAX 'punnel_save_config', carece de cualquier verificaci\u00f3n de capacidad (current_user_can()) y verificaci\u00f3n de nonce. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, sobrescriban la configuraci\u00f3n completa del plugin, incluyendo la clave API, a trav\u00e9s de una solicitud POST a admin-ajax.php. Una vez que la clave API es conocida (porque el atacante la configur\u00f3), el atacante puede usar el endpoint API p\u00fablico del plugin (sniff_requests() en /?punnel_api=1) \u2014 que solo valida las solicitudes comparando un token POST con la api_key almacenada \u2014 para crear, actualizar o eliminar publicaciones, p\u00e1ginas y productos arbitrarios en el sitio."}], "id": "CVE-2026-3645", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:33.017", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L118"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L156"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L179"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L403"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L410"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L118"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L156"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L179"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L403"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L410"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6f54ca4-297f-44e8-8bb3-25cdc52f94ff?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "punnel_\u2013_landing_page_builder", "vendor": "punnel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T08:35:31.077994+00:00", "value": {"mitigation_remediation": ["Upgrade the Punnel plugin to a version newer than 1.3.1.", "Immediately reset the plugin\u2019s API key after upgrading to prevent reuse of a potentially compromised key.", "Audit posts, pages, and product listings created or modified during the vulnerable period for signs of unauthorized changes.", "If upgrading cannot be performed immediately, disable or block access to the public API endpoint that relies on the API key."], "summary": {"action": "Patch Immediately", "impact": "Missing Authorization leading to content tampering"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the Punnel \u2013 Landing Page Builder plugin version 1.3.1 or earlier are affected. The vulnerability resides in the plugin\u2019s core file and is not dependent on site settings beyond the presence of the plugin and an authenticated user with at least Subscriber privileges.", "description_and_impact": "The Punnel \u2013 Landing Page Builder plugin has a missing authorization check in its AJAX handler for saving configuration. Because the function does not enforce capability checks or nonce verification, any authenticated user with Subscriber level or higher can send a POST request to the admin\u2011ajax.php endpoint and overwrite the plugin\u2019s entire configuration, including the stored API key. This flaw is identified as CWE-862, Missing Authorization, and allows attackers to take full control of the public API used by the plugin. Once the API key is compromised, the attacker can use the public API endpoint to create, modify, or delete posts, pages, and product listings on the site without further authentication.", "risk_and_exploitability": "The CVSS score of 5.3 classifies the vulnerability as moderate. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. The attack vector is remote, requiring only an authenticated web session. An attacker can send a crafted POST request to /wp-admin/admin\u2011ajax.php with the action punnel_save_config, bypassing the missing security checks. After setting the API key, the attacker can exploit the unsecured public API to manipulate content on the site."}}}}, "created": "2026-03-23T09:50:04.869227+00:00", "updated": "2026-03-25T14:41:45.463763+00:00", "vendors": ["punnel", "punnel$PRODUCT$punnel_\u2013_landing_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}