Description
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
Published: 2025-06-18
Score: 9.8 Critical
EPSS: 19.5% Moderate
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Recover WooCommerce Cart Abandonment plugin is vulnerable because its install_or_activate_addon_plugins() function lacks a capability check and uses a weak nonce hash in all releases up to 3.5.3. This missing authorization allows any unauthenticated user to trigger the endpoint and install arbitrary WordPress plugins. By doing so, an attacker can place malicious code and potentially execute remote code on the site. The flaw corresponds to CWE‑862, a missing authorization weakness.

Affected Systems

This issue affects the FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin on WordPress, versions 3.5.3 and all previous releases. The vulnerability exists in the plugin’s API components, as referenced in the WordPress Trac repository links provided. No other versions or plugins have been explicitly listed as affected.

Risk and Exploitability

The CVSS score of 9.8 classifies the vulnerability as critical, and the EPSS score of 20% indicates a high likelihood of exploitation. The plugin is accessible over the network without authentication, so the likely attack vector is via unauthenticated HTTP requests to the plugin’s REST API endpoint. Because an attacker can install any plugin remotely, the risk extends to code execution, data theft, or further compromise of the WordPress installation. The vulnerability is currently not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FunnelKit Automations to the latest version (>=3.5.4) which includes the missing capability check and nonce validation.
  • If an immediate update is not possible, disable or remove the plugin temporarily to block the vulnerable install endpoint.
  • Restrict the REST API or admin area to authenticated administrators only, and monitor server logs for unauthorized install requests.

Generated by OpenCVE AI on April 22, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18629 The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
History

Wed, 09 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Funnelkit
Funnelkit funnelkit Automations
CPEs cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:*
Vendors & Products Funnelkit
Funnelkit funnelkit Automations

Wed, 18 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Jun 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
Title Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Funnelkit Funnelkit Automations
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:26.912Z

Reserved: 2025-02-21T17:00:19.866Z

Link: CVE-2025-1562

cve-icon Vulnrichment

Updated: 2025-06-18T13:44:16.979Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-18T08:15:28.987

Modified: 2025-07-09T18:55:22.080

Link: CVE-2025-1562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses