CVE-2025-12469
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to send arbitrary emails from the site with attacker-controlled content. The FunnelKit Automations plugin fails to properly verify authorization for administrative email testing functions, exposing a nonce publicly in frontend JavaScript. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could send phishing emails, spam, or malicious content from legitimate site email addresses, damaging reputation and potentially leading to credential theft or malware distribution.
Likely Case
Spam campaigns sent from legitimate site domains, potentially causing email deliverability issues and brand reputation damage.
If Mitigated
Limited impact with proper email monitoring and rate limiting, though unauthorized email sending capability remains.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. The nonce is publicly exposed in JavaScript, making it easily obtainable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.4.2
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3388822/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'FunnelKit Automations' and click 'Update Now'. 4. Verify version is 3.6.4.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the bwfan_test_email AJAX handler
Add to theme functions.php or custom plugin: remove_action('wp_ajax_bwfan_test_email', 'bwfan_test_email'); remove_action('wp_ajax_nopriv_bwfan_test_email', 'bwfan_test_email');
Restrict user registration
allPrevent new user accounts from being created to limit potential attackers
In WordPress Settings → General, uncheck 'Anyone can register'
🧯 If You Can't Patch
- Deactivate the FunnelKit Automations plugin completely
- Implement strict email sending rate limits and monitor for unusual email activity
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → FunnelKit Automations. If version is 3.6.4.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='FunnelKit Automations' --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify version shows 3.6.4.2 or higher in WordPress admin → Plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=bwfan_test_email
- Spike in email sending from WordPress site
- Email logs showing unexpected 'test email' activity
Network Indicators:
- HTTP POST requests to admin-ajax.php with test email parameters from non-admin users
SIEM Query:
source="wordpress_logs" action="bwfan_test_email" AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php#L296
- https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-common.php#L1896
- https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-public.php#L70
- https://plugins.trac.wordpress.org/changeset/3388822/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-ajax-controller.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/72198b74-90f6-49c6-b261-6f9c1cdc9692?source=cve
