Description
The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content.
Published: 2025-11-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Email Sending
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an authenticated user with Subscriber-level access or higher to send arbitrary emails from the website. It arises because the plugin's AJAX handler for test emails does not verify proper authorization; the nonce used is exposed to all visitors and the check permits low-privilege accounts that possess the nonce. Consequently, an attacker can control subject and body content to deliver spam or phishing content without administrator approval.

Affected Systems

WordPress sites installing the FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin, version 3.6.4.1 or earlier. The affected component is the bwfan_test_email AJAX endpoint in the plugin's core code. Administrators using older releases should verify the installed plugin version.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact. The EPSS score is below 1%, suggesting low probability of widespread exploitation at this time; the vulnerability is not listed in CISA's KEV catalog. Exploitation requires only that the user is logged in as a Subscriber or higher, that the nonce is available via frontend JavaScript, and that the attacker can invoke the AJAX endpoint. The likely attack vector is via the site's frontend, using the publicly exposed nonce in a browser, allowing an attacker to trigger the AJAX call and forge email subject and body, resulting in arbitrary emails being sent from the site to any address.

Generated by OpenCVE AI on April 21, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FunnelKit Automations plugin to version 3.6.5 or later.
  • Restrict the bwfan_test_email AJAX handler to administrator roles only or revoke Subscriber+ access to the endpoint.
  • Monitor outgoing email logs for unexpected activity and block offending email addresses.

Generated by OpenCVE AI on April 21, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:*

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Funnelkit
Funnelkit funnelkit Automations
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Funnelkit
Funnelkit funnelkit Automations
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content.
Title FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Funnelkit Funnelkit Automations
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:40.969Z

Reserved: 2025-10-29T15:32:21.770Z

Link: CVE-2025-12469

cve-icon Vulnrichment

Updated: 2025-11-05T15:21:28.270Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-05T10:15:35.933

Modified: 2025-12-04T14:03:18.960

Link: CVE-2025-12469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses