CVE-2025-1562

CRITICAL EXPLOITED NUCLEI

FunnelKit Automations < 3.5.3 - Unauthenticated Arbitrary Plugin Installation via install_or_activate_addon_plugins

Title source: llm

Exploitation Summary

CVE-2025-1562 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including gmh5225. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated plugin installation vulnerability in a WordPress plugin via the Autonami REST API endpoint. The exploit sends a crafted POST request to install a malicious plugin from a remote URL, though activation and path retrieval are noted as difficult.

Description

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.

Exploits (1)

nomisec WORKING POC

by gmh5225 · remote

https://github.com/gmh5225/CVE-2025-1562

View Code ZIP pw:eip

This PoC demonstrates an unauthenticated plugin installation vulnerability in a WordPress plugin via the Autonami REST API endpoint. The exploit sends a crafted POST request to install a malicious plugin from a remote URL, though activation and path retrieval are noted as difficult.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress with Autonami plugin (version unspecified)

No auth needed

Prerequisites: Target must have the vulnerable Autonami plugin installed · Network access to the WordPress REST API

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

CRITICALVERIFIEDby s4e-io

References (6)

Core 6

Core References

Product

https://plugins.trac.wordpress.org/browser/wp-marketing-automations/tags/2.5.0/includes/api/plugin_status/class-bwfan-api-install-and-activate-plugin.php

Product

https://plugins.trac.wordpress.org/browser/wp-marketing-automations/tags/2.5.0/includes/class-bwfan-db.php#L153

Patch

https://plugins.trac.wordpress.org/changeset/3305437/wp-marketing-automations/trunk/admin/class-bwfan-admin.php

Patch

https://plugins.trac.wordpress.org/changeset/3305437/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-api-base.php

Patch

https://plugins.trac.wordpress.org/changeset/3305437/wp-marketing-automations/trunk/includes/class-bwfan-api-loader.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/094972e6-7e02-4060-b069-e39c8cde9331?source=cve

Scores

CVSS v3 9.8

EPSS 0.1952

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-06-18

CWE

CWE-862

Status published

Products (2)

amans2k/FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce < 3.5.3

funnelkit/funnelkit_automations < 3.6.0

Published Jun 18, 2025

Tracked Since Feb 18, 2026