Platform
wordpress
Component
funnelkit-automations
Opgelost in
3.5.4
CVE-2025-1562 is a critical vulnerability affecting the FunnelKit Automations WordPress plugin. This vulnerability allows unauthenticated attackers to install arbitrary plugins on a vulnerable WordPress site, significantly expanding the potential attack surface. The vulnerability impacts versions 0.0.0 through 3.5.3, and a patch is available in version 3.5.4.
The core of the issue lies in the installoractivateaddonplugins() function, which lacks proper capability checks. Coupled with a weak nonce hash, this allows an attacker to bypass authentication and execute arbitrary plugin installations. Successful exploitation grants the attacker control over the installed plugins, enabling them to inject malicious code, steal sensitive data, or even gain complete control of the WordPress site. This is akin to a remote code execution (RCE) scenario, albeit through plugin installation. The blast radius extends to any data stored on the WordPress site, including user credentials, customer information, and e-commerce data.
This vulnerability was publicly disclosed on 2025-06-18. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests a high probability of exploitation. It has not yet been added to the CISA KEV catalog. The lack of a public PoC does not diminish the severity, as the underlying vulnerability is relatively straightforward to exploit.
WordPress sites utilizing the FunnelKit Automations plugin, particularly those running older versions (0.0.0–3.5.3), are at significant risk. Shared hosting environments are especially vulnerable, as attackers could potentially compromise multiple sites through a single vulnerability.
• wordpress / composer / npm:
wp plugin list | grep FunnelKit• wordpress / composer / npm:
grep -r 'install_or_activate_addon_plugins' /var/www/html/wp-content/plugins/funnelkit-automations/• wordpress / composer / npm:
wp plugin status funnelkit-automationsdisclosure
Exploit Status
EPSS
16.07% (95% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to immediately upgrade the FunnelKit Automations plugin to version 3.5.4 or later. If upgrading is not immediately feasible due to compatibility issues, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is unavailable, implementing a Web Application Firewall (WAF) with rules to block suspicious plugin installation attempts can offer a temporary layer of protection. Regularly review installed plugins and remove any that are unnecessary or outdated.
Actualice el plugin FunnelKit Automations a la versión 3.5.4 o superior para corregir la vulnerabilidad de instalación de plugins arbitrarios. Esta actualización implementa verificaciones de autorización adecuadas y corrige el problema con el hash de nonce débil, previniendo que atacantes no autenticados instalen plugins maliciosos en su sitio web.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-1562 is a critical vulnerability in the FunnelKit Automations WordPress plugin allowing unauthenticated attackers to install arbitrary plugins, potentially leading to site compromise.
If you are using FunnelKit Automations versions 0.0.0 through 3.5.3, you are affected by this vulnerability.
Upgrade the FunnelKit Automations plugin to version 3.5.4 or later to resolve the vulnerability.
While no public exploit is currently known, the ease of exploitation suggests a high probability of exploitation.
Refer to the FunnelKit official website and WordPress plugin repository for the latest advisory and updates regarding CVE-2025-1562.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.