What the vulnerability does
01Description
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
Explanation of Vulnerability in Simple Terms
02Summary
FunnelKit Automations for WordPress is missing authorization checks on sensitive functions. An unauthenticated attacker can read, modify, or delete email campaigns, contact lists, automation workflows, and other CRM data without logging in. This affects all versions up to 3.5.3. Site owners should update immediately to a version newer than 3.5.3.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete email campaigns, contacts, and automation workflows without authentication.
Potential impact on your site
04Site Impact
All email marketing data, customer contacts, and automation workflows are exposed and can be altered or destroyed by anyone.
Conditions required to exploit
05Prerequisites
None. The attacker needs only network access to your WordPress site.
Key dates
06Disclosure timeline
June 18, 2025
CVE published
April 8, 2026
Record updated