Description
Missing Authorization vulnerability in WPFunnels WPFunnels wpfunnels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPFunnels: from n/a through <= 3.6.2.
Published: 2025-12-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the WPFunnels WordPress plugin that originates from incorrectly configured access‑control security levels. It allows an attacker to bypass intended checks and interact with the plugin’s configuration and management interfaces without proper privilege verification. This corresponds to CWE‑862, a failure to enforce correct authorization in the software.

Affected Systems

All releases of the WPFunnels plugin up to and including version 3.6.2 are affected. WordPress sites that have the plugin installed and have not yet applied a corrective update carry the risk. The flaw does not depend on the underlying operating system or host platform; it is confined to the WordPress environment.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate security risk, while the EPSS score of less than 1 % reflects a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote web‑based access to the WordPress admin interface, as the flaw resides in the plugin’s exposed web endpoints. When exploited, an attacker could gain unauthorized control over funnel configuration, potentially exposing sensitive data or enabling subsequent attacks on the site.

Generated by OpenCVE AI on April 29, 2026 at 12:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a plugin version newer than 3.6.2 that contains the fix as soon as it becomes available from the vendor.
  • Restrict WordPress user roles so that only users with legitimate administrative privileges can access the WPFunnels configuration pages and eliminate unnecessary high‑privilege accounts.
  • Configure a web‑application firewall or security plugin to detect and block attempts to reach WPFunnels administration endpoints by unauthorized users.
  • Review and enforce the principle of least privilege on all WordPress accounts, regularly auditing permissions with a focus on third‑party plugin access.

Generated by OpenCVE AI on April 29, 2026 at 12:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels wpfunnels
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels wpfunnels
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPFunnels WPFunnels wpfunnels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPFunnels: from n/a through <= 3.6.2.
Title WordPress WPFunnels plugin <= 3.6.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Getwpfunnels Wpfunnels
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:23:49.210Z

Reserved: 2025-12-09T12:21:28.862Z

Link: CVE-2025-67571

cve-icon Vulnrichment

Updated: 2025-12-10T21:55:28.592Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:34.117

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:45:11Z

Weaknesses