📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global data_breach Financial Services / Gaming HIGH 2h Global vulnerability Telecommunications / Enterprise Infrastructure CRITICAL 2h Global vulnerability Information Technology CRITICAL 2h Global malware General / Multi-sector CRITICAL 3h Global general Sports & Events HIGH 3h Global insider Governance & Ethics MEDIUM 4h Global vulnerability Technology and AI Systems HIGH 6h Global vulnerability Technology, Media, Broadcasting CRITICAL 6h Global vulnerability Government and Critical Infrastructure CRITICAL 6h Global supply_chain Artificial Intelligence and Technology HIGH 7h Global data_breach Financial Services / Gaming HIGH 2h Global vulnerability Telecommunications / Enterprise Infrastructure CRITICAL 2h Global vulnerability Information Technology CRITICAL 2h Global malware General / Multi-sector CRITICAL 3h Global general Sports & Events HIGH 3h Global insider Governance & Ethics MEDIUM 4h Global vulnerability Technology and AI Systems HIGH 6h Global vulnerability Technology, Media, Broadcasting CRITICAL 6h Global vulnerability Government and Critical Infrastructure CRITICAL 6h Global supply_chain Artificial Intelligence and Technology HIGH 7h Global data_breach Financial Services / Gaming HIGH 2h Global vulnerability Telecommunications / Enterprise Infrastructure CRITICAL 2h Global vulnerability Information Technology CRITICAL 2h Global malware General / Multi-sector CRITICAL 3h Global general Sports & Events HIGH 3h Global insider Governance & Ethics MEDIUM 4h Global vulnerability Technology and AI Systems HIGH 6h Global vulnerability Technology, Media, Broadcasting CRITICAL 6h Global vulnerability Government and Critical Infrastructure CRITICAL 6h Global supply_chain Artificial Intelligence and Technology HIGH 7h
Vulnerabilities

CVE-2026-3645

Medium
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_co
CWE-862 — Weakness Type
Published: Mar 21, 2026  ·  Modified: Mar 23, 2026  ·  Source: NVD
CVSS v3
5.3
🔗 NVD Official
📄 Description (English)

The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's entire configuration including the API key via a POST request to admin-ajax.php. Once the API key is known (because the attacker set it), the attacker can use the plugin's public API endpoint (sniff_requests() at /?punnel_api=1) — which only validates requests by comparing a POST token against the stored api_key — to create, update, or delete arbitrary posts, pages, and products on the site.

🤖 AI Executive Summary

The Punnel Landing Page Builder WordPress plugin lacks authorization checks in its configuration save function, allowing authenticated subscribers to modify plugin settings and API keys. Attackers can then exploit the public API endpoint to perform unauthorized operations on posts, pages, and products.

📄 Description (Arabic)

يفتقر مكون Punnel – Landing Page Builder لفحوصات التحقق من الصلاحيات في دالة حفظ الإعدادات، مما يسمح للمستخدمين المصرح لهم على مستوى المشترك بتعديل إعدادات المكون ومفاتيح API. يمكن للمهاجمين بعد ذلك استخدام نقطة نهاية API العامة للمكون لإنشء أو تحديث أو حذف المنشورات والصفحات والمنتجات بشكل تعسفي على الموقع.

🤖 ملخص تنفيذي (AI)

The Punnel Landing Page Builder WordPress plugin lacks authorization checks in its configuration save function, allowing authenticated subscribers to modify plugin settings and API keys. Attackers can then exploit the public API endpoint to perform unauthorized operations on posts, pages, and products.

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 04:00
🇸🇦 Saudi Arabia Impact Assessment
Saudi Relevance: high
🏢 Affected Saudi Sectors
banking telecom energy government healthcare
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.0
/ 10.0
🔧 Remediation Steps (English)
Update the Punnel plugin to version 1.3.2 or later immediately. Implement capability checks using current_user_can() with appropriate roles and add nonce verification to the save_config() AJAX action. Restrict API endpoint access and validate all requests with proper authentication mechanisms. Monitor WordPress user accounts for unauthorized access and review recent configuration changes.
🔧 خطوات المعالجة (العربية)
قم بتحديث مكون Punnel إلى الإصدار 1.3.2 أو أحدث فوراً. قم بتنفيذ فحوصات الصلاحيات باستخدام current_user_can() مع الأدوار المناسبة وأضف التحقق من nonce إلى إجراء save_config() AJAX. قيد الوصول إلى نقطة نهاية API والتحقق من جميع الطلبات باستخدام آليات المصادقة المناسبة. راقب حسابات مستخدمي WordPress للوصول غير المصرح به وراجع التغييرات الأخيرة في الإعدادات.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 5.1.2 5.2.1
🔵 SAMA CSF
AC-2 AC-3 AC-6
🟡 ISO 27001:2022
A.9.1.1 A.9.2.1 A.9.2.5 A.9.4.3
📊 CVSS Score
5.3
/ 10.0 — Medium
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredN — None / Network
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityN — None / Network
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity Medium
CVSS Score5.3
CWECWE-862
Exploit No
Patch ✗ No
Published 2026-03-21
Source Feed nvd
Views 4
🇸🇦 Saudi Risk Score
7.0
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
CWE-862
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.