Arbitrary Plugin Installation Risk in FunnelKit Marketing Automation for WordPress
CVE-2025-1562

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Funnelkit Automations – Email Marketing Automation And Crm For WordPress & WooCommerce
Vendor: CVE Published:; 18 June 2025

What is CVE-2025-1562?

The FunnelKit Marketing Automation plugin for WordPress is affected by a vulnerability that allows unauthorized arbitrary plugin installations. Due to a missing capability check in the install_or_activate_addon_plugins() function coupled with a weak nonce hash, unauthenticated attackers can exploit this issue to install arbitrary plugins. This can lead to the installation of malicious software that further compromises the security of the WordPress site. Users of the plugin should ensure they are using the latest version to mitigate this risk.

Affected Version(s)

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce * <= 3.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3305437/wp-m...

https://plugins.trac.wordpress.org/browser/wp-marketing-a...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2025
Vulnerability Reserved
Feb 21, 2025

Credit

Michael Mazzolini