CVE-2026-39440

CRITICAL

WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39440. PoCs published by 3ele-projects.

AI-analyzed exploit summary This repository provides a detailed technical analysis and a mitigation plugin for CVE-2026-39440, a Remote Code Execution vulnerability in FunnelForms Pro ≤ 3.8.1. The vulnerability stems from unsafe deserialization and path traversal in the `af2_demoimport` AJAX handler.

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.

Exploits (1)

nomisec WRITEUP
by 3ele-projects · poc
https://github.com/3ele-projects/cve-2026-39440-funnelforms-fix

This repository provides a detailed technical analysis and a mitigation plugin for CVE-2026-39440, a Remote Code Execution vulnerability in FunnelForms Pro ≤ 3.8.1. The vulnerability stems from unsafe deserialization and path traversal in the `af2_demoimport` AJAX handler.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FunnelForms Pro ≤ 3.8.1
Auth required
Prerequisites: Authenticated WordPress user with Subscriber-level privileges
devstral-2 · analyzed May 04, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.9
EPSS 0.0002
EPSS Percentile 6.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
Funnelforms LLC/FunnelFormsPro < 3.8.1
Published Apr 23, 2026
Tracked Since Apr 23, 2026