{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12469", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-29T15:32:21.770Z", "datePublished": "2025-11-05T09:27:40.199Z", "dateUpdated": "2026-04-08T17:00:40.969Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:40.969Z"}, "affected": [{"vendor": "amans2k", "product": "FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content."}], "title": "FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72198b74-90f6-49c6-b261-6f9c1cdc9692?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php#L296"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-common.php#L1896"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-public.php#L70"}, {"url": "https://plugins.trac.wordpress.org/changeset/3388822/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-10-29T15:49:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-04T20:51:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T15:21:23.019112Z", "id": "CVE-2025-12469", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T15:39:59.784Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12469", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T15:21:23.019112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T15:21:28.270Z"}}], "cna": {"title": "FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "amans2k", "product": "FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.6.4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-29T15:49:41.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-04T20:51:49.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72198b74-90f6-49c6-b261-6f9c1cdc9692?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php#L296"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-common.php#L1896"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-public.php#L70"}, {"url": "https://plugins.trac.wordpress.org/changeset/3388822/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php"}], "descriptions": [{"lang": "en", "value": "The FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-05T09:27:40.199Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12469", "state": "PUBLISHED", "dateUpdated": "2025-11-05T15:39:59.784Z", "dateReserved": "2025-10-29T15:32:21.770Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-05T09:27:40.199Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3034084D-172A-4FE5-9A23-F7B4F45F4787", "versionEndExcluding": "3.6.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content."}], "id": "CVE-2025-12469", "lastModified": "2025-12-04T14:03:18.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-11-05T10:15:35.933", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php#L296"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-common.php#L1896"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-public.php#L70"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3388822/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72198b74-90f6-49c6-b261-6f9c1cdc9692?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:37:50.725536+00:00", "value": {"mitigation_remediation": ["Upgrade FunnelKit Automations plugin to version 3.6.5 or later.", "Restrict the bwfan_test_email AJAX handler to administrator roles only or revoke Subscriber+ access to the endpoint.", "Monitor outgoing email logs for unexpected activity and block offending email addresses."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Email Sending"}, "threat_synthesis": {"affected_systems": "WordPress sites installing the FunnelKit Automations \u2013 Email Marketing Automation and CRM for WordPress & WooCommerce plugin, version 3.6.4.1 or earlier. The affected component is the bwfan_test_email AJAX endpoint in the plugin's core code. Administrators using older releases should verify the installed plugin version.", "description_and_impact": "The vulnerability allows an authenticated user with Subscriber-level access or higher to send arbitrary emails from the website. It arises because the plugin's AJAX handler for test emails does not verify proper authorization; the nonce used is exposed to all visitors and the check permits low-privilege accounts that possess the nonce. Consequently, an attacker can control subject and body content to deliver spam or phishing content without administrator approval.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate impact. The EPSS score is below 1%, suggesting low probability of widespread exploitation at this time; the vulnerability is not listed in CISA's KEV catalog. Exploitation requires only that the user is logged in as a Subscriber or higher, that the nonce is available via frontend JavaScript, and that the attacker can invoke the AJAX endpoint. The likely attack vector is via the site's frontend, using the publicly exposed nonce in a browser, allowing an attacker to trigger the AJAX call and forge email subject and body, resulting in arbitrary emails being sent from the site to any address."}}}}, "created": "2025-11-06T10:07:21.990157+00:00", "updated": "2026-04-21T18:45:06.078808+00:00", "vendors": ["funnelkit", "funnelkit$PRODUCT$funnelkit_automations", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}