Arbitrary Plugin Installation Risk in FunnelKit Marketing Automation for WordPress
CVE-2025-1562

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Funnelkit Automations – Email Marketing Automation And Crm For WordPress & WooCommerce
Vendor
CVE Published:
18 June 2025

What is CVE-2025-1562?

The FunnelKit Marketing Automation plugin for WordPress is affected by a vulnerability that allows unauthorized arbitrary plugin installations. Due to a missing capability check in the install_or_activate_addon_plugins() function coupled with a weak nonce hash, unauthenticated attackers can exploit this issue to install arbitrary plugins. This can lead to the installation of malicious software that further compromises the security of the WordPress site. Users of the plugin should ensure they are using the latest version to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce * <= 3.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3305437/wp-m...
https://plugins.trac.wordpress.org/browser/wp-marketing-a...

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Mazzolini
JSON
.