CVE-2026-3645

{"id": "CVE-2026-3645", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-21T04:17:33.017", "references": [{"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L118", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L156", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L179", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L403", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/tags/1.3.1/punnel.php#L410", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L118", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L156", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L179", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L403", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/punnel-landing-page-builder/trunk/punnel.php#L410", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6f54ca4-297f-44e8-8bb3-25cdc52f94ff?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Punnel \u2013 Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff_requests() at /?punnel_api=1) \u2014 which only validates requests by comparing a POST token against the stored api_key \u2014 to create, update, or delete arbitrary posts, pages, and products on the site."}, {"lang": "es", "value": "El plugin Punnel \u2013 Landing Page Builder para WordPress es vulnerable a la falta de autorizaci\u00f3n en todas las versiones hasta la 1.3.1, inclusive. La funci\u00f3n save_config(), que maneja la acci\u00f3n AJAX 'punnel_save_config', carece de cualquier verificaci\u00f3n de capacidad (current_user_can()) y verificaci\u00f3n de nonce. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, sobrescriban la configuraci\u00f3n completa del plugin, incluyendo la clave API, a trav\u00e9s de una solicitud POST a admin-ajax.php. Una vez que la clave API es conocida (porque el atacante la configur\u00f3), el atacante puede usar el endpoint API p\u00fablico del plugin (sniff_requests() en /?punnel_api=1) \u2014 que solo valida las solicitudes comparando un token POST con la api_key almacenada \u2014 para crear, actualizar o eliminar publicaciones, p\u00e1ginas y productos arbitrarios en el sitio."}], "lastModified": "2026-04-24T16:27:44.277", "sourceIdentifier": "security@wordfence.com"}