Perceptive Security
SOC/SIEM Consultancy
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects Funnel…
Published:
22 April 2026 at 22:00:00
Alert date:
23 April 2026 at 14:01:18
Source:
nvd.nist.gov
Web Technologies
A code injection vulnerability (CVE-2026-39440) has been discovered in FunnelFormsPro plugin by Funnelforms LLC that allows remote code inclusion attacks. The vulnerability affects all versions of FunnelFormsPro from an unspecified starting version through version 3.8.1. This is classified as an 'Improper Control of Generation of Code' vulnerability that enables attackers to execute remote code inclusion attacks. The vulnerability represents a critical security flaw that could allow attackers to execute arbitrary code on affected systems. Organizations using the affected versions of FunnelFormsPro should prioritize patching or mitigation measures.
Technical details
Mitigation steps:
Affected products:
FunnelFormsPro
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-39440
https://patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability?_s_id=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.