CVE-2025-12000
📋 TL;DR
The WPFunnels WordPress plugin contains an arbitrary file deletion vulnerability that allows authenticated attackers with Administrator privileges to delete any file on the server. This affects all versions up to and including 3.6.2. Deleting critical files like wp-config.php can lead to complete site compromise and remote code execution.
💻 Affected Systems
- WPFunnels WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover via remote code execution after deleting wp-config.php or other critical files, leading to data theft, defacement, or malware installation.
Likely Case
Site disruption or downtime from deletion of important files, potentially requiring full restoration from backups.
If Mitigated
Limited impact if proper access controls and file permissions are in place, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires Administrator credentials but is technically simple once access is obtained. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3389604/wpfunnels/trunk/admin/modules/settings/class-wpfnl-settings.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPFunnels and click 'Update Now'. 4. Verify version is 3.6.3 or higher.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily deactivate and remove the WPFunnels plugin until patched version is available
wp plugin deactivate wpfunnels
wp plugin delete wpfunnels
Restrict file permissions
linuxSet strict file permissions on critical WordPress files to prevent deletion
chmod 400 wp-config.php
chmod 400 .htaccess
🧯 If You Can't Patch
- Remove Administrator access from untrusted users and implement principle of least privilege
- Implement file integrity monitoring to detect unauthorized file deletions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → WPFunnels version. If version is 3.6.2 or lower, you are vulnerable.Check Version:
wp plugin get wpfunnels --field=versionVerify Fix Applied:
After updating, verify WPFunnels version shows 3.6.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file deletion attempts in WordPress or web server logs
- Admin user actions deleting unexpected files
- POST requests to wpfnl_delete_log function with unusual file paths
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=wpfnl_delete_log parameter
SIEM Query:
source="wordpress.log" AND "wpfnl_delete_log" AND (".." OR "/etc/" OR "wp-config")🔗 References
- https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.6.1/admin/modules/settings/class-wpfnl-settings.php#L591
- https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.6.1/includes/core/logger/class-wpfnl-logger.php#L172
- https://plugins.trac.wordpress.org/changeset/3389604/wpfunnels/trunk/admin/modules/settings/class-wpfnl-settings.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d969eb46-b12a-4a36-9321-bf1479906a5d?source=cve
