CVE-2026-39440

🗓️ 23 Apr 2026 12:11:41Reported by PatchstackType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 15 Views🌐 WEB

WordPress FunnelFormsPro plugin up to version 3.8.1 has remote code execution via code injection.

Reporter	Title	Published	Views	Family All 11
GithubExploit	Exploit for CVE-2026-39440	4 May 202608:33	–	githubexploit
Circl	CVE-2026-39440	23 Apr 202615:16	–	circl
CNNVD	WordPress plugin FunnelFormsPro 代码注入漏洞	23 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-39440 WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability	23 Apr 202612:11	–	cvelist
EUVD	EUVD-2026-25220	23 Apr 202615:38	–	euvd
NVD	CVE-2026-39440	23 Apr 202613:16	–	nvd
Patchstack	WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability	21 Apr 202615:16	–	patchstack
Positive Technologies	PT-2026-34660	23 Apr 202600:00	–	ptsecurity
Positive Technologies	PT-2026-36320	1 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-39440	5 Jun 202619:12	–	redhatcve

Vulners

Node

funnelforms_llc funnelformsproRange≤3.8.1wordpress

[
  {
    "vendor": "Funnelforms LLC",
    "product": "FunnelFormsPro",
    "versions": [
      {
        "status": "affected",
        "version": "n/a",
        "lessThanOrEqual": "3.8.1",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
patchstack	www.patchstack.com/database/wordpress/plugin/funnelforms-pro/vulnerability/wordpress-funnelformspro-plugin-3-8-1-remote-code-execution-rce-vulnerability

Parameter	Position	Path	Description	CWE
filename	request body	wp-admin/admin-ajax.php?action=af2_demoimport	AJAX-based FunnelForms Demo Import handler vulnerable to PHP object injection via unserialize on attacker-controlled data and unsafe file path handling.	CWE-94

23 Apr 2026 14:28Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.19.9

EPSS0.00022

SSVC

CWE-94

WordPress FunnelFormsPro up to 3.8.1 code injection remote code inclusion