Platform
wordpress
Component
funnelkit-automations
Fixed in
3.5.4
CVE-2025-1562 is a critical vulnerability affecting the FunnelKit Automations WordPress plugin. This vulnerability allows unauthenticated attackers to install arbitrary plugins on a vulnerable WordPress site, significantly expanding the potential attack surface. The vulnerability impacts versions 0.0.0 through 3.5.3, and a patch is available in version 3.5.4.
The core of the issue lies in the installoractivateaddonplugins() function, which lacks proper capability checks. Coupled with a weak nonce hash, this allows an attacker to bypass authentication and execute arbitrary plugin installations. Successful exploitation grants the attacker control over the installed plugins, enabling them to inject malicious code, steal sensitive data, or even gain complete control of the WordPress site. This is akin to a remote code execution (RCE) scenario, albeit through plugin installation. The blast radius extends to any data stored on the WordPress site, including user credentials, customer information, and e-commerce data.
This vulnerability was publicly disclosed on 2025-06-18. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests a high probability of exploitation. It has not yet been added to the CISA KEV catalog. The lack of a public PoC does not diminish the severity, as the underlying vulnerability is relatively straightforward to exploit.
Exploit Status
EPSS
16.07% (95% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the FunnelKit Automations plugin to version 3.5.4 or later. If upgrading is not immediately feasible due to compatibility issues, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is unavailable, implementing a Web Application Firewall (WAF) with rules to block suspicious plugin installation attempts can offer a temporary layer of protection. Regularly review installed plugins and remove any that are unnecessary or outdated.
Update the FunnelKit Automations plugin to version 3.5.4 or higher to fix the arbitrary plugin installation vulnerability. This update implements proper authorization checks and corrects the issue with the weak nonce hash, preventing unauthenticated attackers from installing malicious plugins on your website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1562 is a critical vulnerability in the FunnelKit Automations WordPress plugin allowing unauthenticated attackers to install arbitrary plugins, potentially leading to site compromise.
If you are using FunnelKit Automations versions 0.0.0 through 3.5.3, you are affected by this vulnerability.
Upgrade the FunnelKit Automations plugin to version 3.5.4 or later to resolve the vulnerability.
While no public exploit is currently known, the ease of exploitation suggests a high probability of exploitation.
Refer to the FunnelKit official website and WordPress plugin repository for the latest advisory and updates regarding CVE-2025-1562.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.