cbcvebase.
CVE-2025-1562
published 2025-06-18

CVE-2025-1562: The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.90%
85.2th percentile
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.

Affected

3 ranges
VendorProductVersion rangeFixed in
amans2kfunnelkit_automations_email_marketing_automation_and_crm_for_wordpress_woocommer<= 3.5.3
funnelkitfunnelkit_automations< 3.6.03.6.0
linuxlinux_kernel>= 6.17.0 < 6.18.46.18.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/autonami-app/plugin/install_and_activate
path/wp-content/plugins/wp-marketing-automations/
url/wp-admin/admin.php?page=autonami
command{"action":"install","url":"<remote_zip_url>"}
  • Monitor POST requests to /wp-json/autonami-app/plugin/install_and_activate with a bwf-nonce query parameter from unauthenticated or low-privilege sources; this endpoint is exploited to install arbitrary plugins without proper authorization.
  • A successful exploit attempt will return HTTP 200 with a JSON body containing 'incompatible_archive', indicating the attacker-supplied ZIP URL was fetched by the server.
  • Detect reconnaissance/nonce-harvesting step: unauthenticated or low-privilege GET requests to /wp-admin/admin.php?page=autonami followed immediately by a POST to the install_and_activate endpoint.
  • Flag presence of the wp-marketing-automations plugin on versions up to and including 3.5.3 as a vulnerable asset requiring immediate patching to 3.6.0.
  • ·The nonce (bwf-nonce) used to protect the install_and_activate endpoint is described as a 'weak nonce hash', meaning it can be predicted or brute-forced by unauthenticated attackers; standard nonce-strength assumptions do not apply here.
  • ·The Nuclei template is tagged 'authenticated' but the vulnerability is exploitable by unauthenticated attackers; the login step in the PoC template may be optional or used only to harvest the nonce from the admin page.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv5.5MEDIUM
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.