Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Aman FunnelKit Automations wp-marketing-automations allows Phishing.This issue affects FunnelKit Automations: from n/a through <= 3.6.0.
Published: 2025-06-17
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of destination URLs in the plugin, allowing attackers to craft links that redirect users to malicious sites. This flaw can be exploited to launch phishing campaigns by embedding deceptive URLs within emails or site content, leading to credential theft or malware deployment. The weakness is a classic Open Redirect (CWE‑601).

Affected Systems

WordPress sites running the Aman FunnelKit Automations plugin, version 3.6.0 or earlier.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate overall risk, but the low EPSS score (<1%) suggests exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves sending or inserting a crafted link that the plugin will redirect to a target domain without proper validation. An attacker would need to persuade a user to click the link, but the redirect itself does not require elevated privileges on the target site.

Generated by OpenCVE AI on April 30, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Aman FunnelKit Automations to a version newer than 3.6.0
  • If upgrading is not feasible, disable or remove the plugin’s redirect feature and whitelist only trusted domains
  • Configure server‑level redirect filtering to reject or sanitize untrusted destination URLs

Generated by OpenCVE AI on April 30, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28325 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FunnelKit Automation By Autonami allows Phishing. This issue affects Automation By Autonami: from n/a through 3.6.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FunnelKit Automation By Autonami allows Phishing. This issue affects Automation By Autonami: from n/a through 3.6.0. URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Aman FunnelKit Automations wp-marketing-automations allows Phishing.This issue affects FunnelKit Automations: from n/a through <= 3.6.0.
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FunnelKit Automation By Autonami allows Phishing. This issue affects Automation By Autonami: from n/a through 3.6.0.
Title WordPress Automation By Autonami plugin <= 3.6.0 - Open Redirection Vulnerability
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:06.696Z

Reserved: 2025-06-11T16:06:05.695Z

Link: CVE-2025-49868

cve-icon Vulnrichment

Updated: 2025-06-18T14:20:07.484Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:51.533

Modified: 2026-04-23T15:31:45.040

Link: CVE-2025-49868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:30:06Z

Weaknesses