CVE-2025-1562
published 2025-06-18CVE-2025-1562: The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.90%
85.2th percentile
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amans2k | funnelkit_automations_email_marketing_automation_and_crm_for_wordpress_woocommer | <= 3.5.3 | — |
| funnelkit | funnelkit_automations | < 3.6.0 | 3.6.0 |
| linux | linux_kernel | >= 6.17.0 < 6.18.4 | 6.18.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /wp-json/autonami-app/plugin/install_and_activate with a bwf-nonce query parameter from unauthenticated or low-privilege sources; this endpoint is exploited to install arbitrary plugins without proper authorization. ↗
- →A successful exploit attempt will return HTTP 200 with a JSON body containing 'incompatible_archive', indicating the attacker-supplied ZIP URL was fetched by the server. ↗
- →Detect reconnaissance/nonce-harvesting step: unauthenticated or low-privilege GET requests to /wp-admin/admin.php?page=autonami followed immediately by a POST to the install_and_activate endpoint. ↗
- →Flag presence of the wp-marketing-automations plugin on versions up to and including 3.5.3 as a vulnerable asset requiring immediate patching to 3.6.0. ↗
- ·The nonce (bwf-nonce) used to protect the install_and_activate endpoint is described as a 'weak nonce hash', meaning it can be predicted or brute-forced by unauthenticated attackers; standard nonce-strength assumptions do not apply here. ↗
- ·The Nuclei template is tagged 'authenticated' but the vulnerability is exploitable by unauthenticated attackers; the login step in the PoC template may be optional or used only to harvest the nonce from the admin page. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv5.5MEDIUM
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
kernel/kexec: fix IMA when allocation happens in CMA area
osv·2026-01-14·CVSS 5.5
CVE-2025-71139 kernel/kexec: fix IMA when allocation happens in CMA area
kernel/kexec: fix IMA when allocation happens in CMA area
In the Linux kernel, the following vulnerability has been resolved:
kernel/kexec: fix IMA when allocation happens in CMA area
*** Bug description ***
When I tested kexec with the latest kernel, I ran into the following warning:
[ 40.712410] ------------[ cut here ]------------
[ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198
[...]
[ 40.816047] Call trace:
[ 40.818498] kimage_map_segment+0x144/0x198 (P)
[ 40.823221] ima_kexec_post_load+0x58/0xc0
[ 40.827246] __do_sys_kexec_file_load+0x29c/0x368
[...]
[ 40.855423] ---[ end trace 0000000000000000 ]---
*** How to reproduce ***
This bug is only triggered when the kexec target address is allocated in
the CMA area. If no CMA area is r
GHSA
GHSA-rr4m-6xx9-f2wg: The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unautho
ghsa_unreviewed·2025-06-18
CVE-2025-1562 [CRITICAL] CWE-862 GHSA-rr4m-6xx9-f2wg: The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unautho
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
VulnCheck
funnelkit funnelkit_automations Missing Authorization
vulncheck·2025·CVSS 9.8
CVE-2025-1562 [CRITICAL] funnelkit funnelkit_automations Missing Authorization
funnelkit funnelkit_automations Missing Authorization
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
Affected: FunnelKit Automations (Formerly Autonami) Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if
Red Hat
kernel: kernel/kexec: fix IMA when allocation happens in CMA area
vendor_redhat·2026-01-14·CVSS 5.5
CVE-2025-71139 [MEDIUM] kernel: kernel/kexec: fix IMA when allocation happens in CMA area
kernel: kernel/kexec: fix IMA when allocation happens in CMA area
In the Linux kernel, the following vulnerability has been resolved:
kernel/kexec: fix IMA when allocation happens in CMA area
*** Bug description ***
When I tested kexec with the latest kernel, I ran into the following warning:
[ 40.712410] ------------[ cut here ]------------
[ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198
[...]
[ 40.816047] Call trace:
[ 40.818498] kimage_map_segment+0x144/0x198 (P)
[ 40.823221] ima_kexec_post_load+0x58/0xc0
[ 40.827246] __do_sys_kexec_file_load+0x29c/0x368
[...]
[ 40.855423] ---[ end trace 0000000000000000 ]---
*** How to reproduce ***
This bug is only triggered when the kexec target address is allocated in
the CMA area. If no CMA area is
No detection rules found.
Nuclei
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control
nuclei·CVSS 9.8
CVE-2025-1562 [CRITICAL] Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.
Template:
id: CVE-2025-1562
info:
name: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control
author: s4e-io
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/wp-marketing-automations/tags/2.5.0/includes/api/plugin_status/class-bwfan-api-install-and-activate-plugin.phphttps://plugins.trac.wordpress.org/browser/wp-marketing-automations/tags/2.5.0/includes/class-bwfan-db.php#L153https://plugins.trac.wordpress.org/changeset/3305437/wp-marketing-automations/trunk/admin/class-bwfan-admin.phphttps://plugins.trac.wordpress.org/changeset/3305437/wp-marketing-automations/trunk/includes/abstracts/class-bwfan-api-base.phphttps://plugins.trac.wordpress.org/changeset/3305437/wp-marketing-automations/trunk/includes/class-bwfan-api-loader.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/094972e6-7e02-4060-b069-e39c8cde9331?source=cve
2025-06-18
Published
Exploited in the wild