{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39440", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T08:24:21.369Z", "datePublished": "2026-04-23T12:11:41.992Z", "dateUpdated": "2026-04-23T13:39:41.336Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T12:11:41.992Z"}, "title": "WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "affected": [{"vendor": "Funnelforms LLC", "product": "FunnelFormsPro", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "3.8.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.<p>This issue affects FunnelFormsPro: from n/a through 3.8.1.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "3ele / Sebastian Weiss | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:38:15.620447Z", "id": "CVE-2026-39440", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:39:41.336Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39440", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T13:38:15.620447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:38:46.105Z"}}], "cna": {"title": "WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "3ele / Sebastian Weiss | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Funnelforms LLC", "product": "FunnelFormsPro", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "3.8.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.<p>This issue affects FunnelFormsPro: from n/a through 3.8.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T12:11:41.992Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39440", "state": "PUBLISHED", "dateUpdated": "2026-04-23T13:39:41.336Z", "dateReserved": "2026-04-07T08:24:21.369Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-23T12:11:41.992Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1."}], "id": "CVE-2026-39440", "lastModified": "2026-04-23T14:28:55.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-23T13:16:11.893", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.1]"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 94.0, "source": "matching"}]}, "original": {"product": "FunnelFormsPro", "source": "cna", "vendor": "Funnelforms LLC"}, "product": "funnelforms", "vendor": "funnelforms"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T14:53:44.883721+00:00", "value": {"mitigation_remediation": ["Upgrade FunnelFormsPro to the latest available version (any release after 3.8.1).", "If an upgrade is not immediately feasible, disable or remove the FunnelFormsPro plugin from the WordPress installation to block the attack surface.", "Consider restricting file execution privileges for plugin directories and applying web application firewall rules to block suspicious code injection patterns until a formal patch is deployed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Funnelforms LLC\u2019s FunnelFormsPro plugin for WordPress, all versions from the earliest release through 3.8.1, is affected. The plugin is typically installed in WordPress sites that rely on funnel or form functionalities.", "description_and_impact": "The vulnerability is an Improper Control of Generation of Code flaw that allows an attacker to remotely include arbitrary code within the FunnelFormsPro plugin. Because the plugin can process user input without adequate sanitization, an attacker can inject code that will be executed by the server. This provides an attacker with the potential to compromise the entire hosting environment, exfiltrate confidential data, or establish persistence, representing a critical confidentiality, integrity, and availability impact.", "risk_and_exploitability": "With a CVSS score of 9.9, the technical severity is extremely high. The EPSS score of less than 1% indicates that, at the time of assessment, the probability of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed active exploitation. However, the remote nature of the flaw means that any WordPress site running an affected version is susceptible if an attacker can supply crafted input; this inference is based on the plugin\u2019s exposure via HTTP requests. The threat remains high due to the potential for total compromise, and the risk persists until a patch or mitigation is applied."}}}}, "created": "2026-04-28T09:00:06.158886+00:00", "updated": "2026-04-28T15:00:14.515653+00:00", "vendors": ["funnelforms", "funnelforms$PRODUCT$funnelforms", "wordpress", "wordpress$PRODUCT$wordpress"]}