CVE-2025-12469

Name of the Vulnerable Software and Affected Versions FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce versions up to and including 3.6.4.1

Description The FunnelKit Automations plugin for WordPress is affected by a missing authorization issue. The plugin does not properly verify user authorization for administrative actions within the bwfan test email AJAX handler. The nonce used for verification is exposed to all visitors through frontend JavaScript localization, and the check nonce() function allows low-privilege authenticated users possessing this nonce to send arbitrary emails from the site, controlling the subject and body content. Authenticated attackers with Subscriber-level access or higher can exploit this issue.

Recommendations Versions prior to 3.6.4.1 should be updated to address this issue.