Impact
The vulnerability is a Broken Authentication flaw in the FunnelKit Automations WordPress plugin versions 3.7.3 and earlier. Because authentication is not enforced correctly, an attacker can log in as a subscriber or gain access to subscriber‑only functionality without a valid credential. The primary consequence is that an unauthenticated or low‑privileged attacker could view, modify, or delete subscriber information, potentially compromising data integrity and confidentiality.
Affected Systems
This issue affects installations of the Aman FunnelKit Automations plugin that have a version of 3.7.3 or older. The plugin is deployed within WordPress sites that rely on the default WordPress authentication mechanisms to protect subscriber data.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity vulnerability, but the EPSS score of < 1% suggests that the likelihood of exploitation is low and no public exploits have been reported. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is through web requests that bypass normal login checks, typically by sending crafted requests to the plugin’s endpoints. Exploitation requires access to the WordPress site over the network and the ability to craft these requests, but no privilege is required beyond that.
OpenCVE Enrichment