Attack Vectors

CVE-2026-3645 affects Punnel – Landing Page Builder (slug: punnel-landing-page-builder) in versions up to and including 1.3.1. This is rated Medium severity with a CVSS 5.3 score (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

The issue is exploitable through WordPress’s standard AJAX handler (admin-ajax.php) via the punnel_save_config AJAX action. An attacker with a basic authenticated account (Subscriber-level access or higher) can send a crafted POST request to update Punnel’s plugin configuration.

From a business-risk perspective, the key takeaway is that this does not require malware on a device or a phishing click by an employee; it relies on the attacker having (or creating) a low-privilege WordPress login and then directly targeting the plugin’s settings endpoint.

Security Weakness

The vulnerable function (save_config()) that handles punnel_save_config lacks two common WordPress security controls: a capability check (such as current_user_can()) and nonce verification. This is a classic missing authorization pattern in which a feature intended for admins is reachable by lower-privileged users.

As documented in the advisory, this weakness allows authenticated attackers to overwrite the plugin’s entire configuration, including the API key, by submitting a POST request.

At the time of writing, the provided remediation notes indicate no known patch is available. Reference: CVE record and Wordfence advisory.

Technical or Business Impacts

Brand and revenue risk: If Punnel’s configuration is changed without authorization, landing page behavior can be altered in ways that impact conversion rates, campaign attribution, lead capture, and customer trust. Even small, unnoticed changes can degrade performance across paid media spend and email campaigns.

Unauthorized configuration changes: Attackers can overwrite settings (including the API key). Depending on how your organization uses Punnel, that could disrupt integrations and operational workflows tied to marketing automation or analytics.

Compliance and audit exposure: For organizations with compliance requirements, the core concern is insufficient access control on a settings-changing action. If a Subscriber-level account can change configuration, it can undermine internal controls for change management and access governance.

Risk management note: Because there is no known patch, risk decisions typically focus on mitigation (tightening account access, reducing exposure) or replacement/uninstallation. Consider disabling or uninstalling the affected plugin if your risk tolerance is low, especially on high-visibility marketing sites and campaign microsites.

Similar Attacks

Missing authorization and weak access control issues in WordPress plugins have been repeatedly exploited because they let attackers change settings or execute actions they should not be able to perform. Examples include:

CVE-2020-25213 (WP File Manager) — a widely reported WordPress plugin vulnerability that enabled severe site compromise and mass exploitation.

CVE-2019-9978 (Social Warfare) — a major WordPress plugin issue that attackers leveraged to inject malicious behavior and take over site functionality.