CVE-2025-1562 CRITICAL

CVE-2025-1562: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation

Vendor Amans2K
Product FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Weakness CWE-862 · Missing authorization
Published June 18, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.

Explanation of Vulnerability in Simple Terms

02Summary

FunnelKit Automations for WordPress is missing authorization checks on sensitive functions. An unauthenticated attacker can read, modify, or delete email campaigns, contact lists, automation workflows, and other CRM data without logging in. This affects all versions up to 3.5.3. Site owners should update immediately to a version newer than 3.5.3.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete email campaigns, contacts, and automation workflows without authentication.

Potential impact on your site

04Site Impact

All email marketing data, customer contacts, and automation workflows are exposed and can be altered or destroyed by anyone.

Conditions required to exploit

05Prerequisites

None. The attacker needs only network access to your WordPress site.

Key dates

06Disclosure timeline

June 18, 2025 CVE published
April 8, 2026 Record updated