Punnel WordPress Plugin Exposes API Key, Allows Attackers to Create or Delete Content

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Punnel WordPress Plugin Exposes API Key, Allows Attackers to Create or Delete Content

CVE-2026-3645

Summary

The Punnel WordPress plugin for creating landing pages has a security flaw that lets attackers with basic access levels change the plugin's settings, including its API key. This can let attackers create, delete, or modify any content on your website. Update the plugin to the latest version to fix the issue.

Original title

Original description

The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff_requests() at /?punnel_api=1) — which only validates requests by comparing a POST token against the stored api_key — to create, update, or delete arbitrary posts, pages, and products on the site.

nvd CVSS3.1 5.3

Vulnerability type

CWE-862 Missing Authorization

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026