CVE-2025-1562

Name of the Vulnerable Software and Affected Versions Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit versions up to, and including, 3.5.3

Description The issue is related to a missing capability check on the install or activate addon plugins() function and a weak nonce hash, allowing unauthenticated attackers to install arbitrary plugins on the site. This could be leveraged to further infect a vulnerable site. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For versions up to, and including, 3.5.3, update to a version higher than 3.5.3 to resolve the issue. As a temporary workaround, consider disabling the install or activate addon plugins() function until a patch is available. Restrict access to the plugin installation feature to minimize the risk of exploitation. Avoid using weak nonce hashes in the affected plugin until the issue is resolved.