Missing Authorization Flaw in FunnelKit Automations Plugin for WordPress & WooCommerce
CVE-2025-12469

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Funnelkit Automations – Email Marketing Automation And Crm For WordPress & WooCommerce
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-12469?

The FunnelKit Automations plugin for WordPress & WooCommerce is susceptible to a missing authorization vulnerability that goes unchecked in its administrative functionalities. This flaw stems from the improper validation of user permissions in the bwfan_test_email AJAX handler. Essentially, the nonce validation process does not securely restrict access, as it inadvertently exposes nonce details to all users, including unauthenticated visitors through JavaScript. Consequently, attackers with Subscriber-level authentication can exploit this vulnerability to send unauthorized emails with modified content, effectively compromising site integrity. Immediate attention to this issue is advised for site operators utilizing affected plugin versions.

Affected Version(s)

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce * <= 3.6.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-marketing-a...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Oct 29, 2025

Credit

Rafshanzani Suhada

JSON