CVE-2025-12000 is a path traversal vulnerability classified under CWE-22 found in the WPFunnels plugin for WordPress, a tool designed to build sales funnels and collect leads. The vulnerability arises from insufficient validation of file paths in the wpfnl_delete_log() function, which is responsible for deleting log files. Because the plugin does not properly restrict or sanitize the file path input, an authenticated attacker with administrator privileges can manipulate the path to delete arbitrary files on the server. This can include critical WordPress files such as wp-config.php, which contains database credentials and configuration settings. Deleting such files can disrupt site availability or enable further exploitation, including remote code execution if attackers replace or manipulate files to execute malicious code. The vulnerability affects all versions up to and including 3.6.2 of WPFunnels. The attack vector requires network access and administrator-level privileges but does not require user interaction. The CVSS v3.1 base score is 6.5, reflecting medium severity due to the high impact on integrity and availability but limited by the need for high privileges. No public exploits have been reported yet, but the risk remains significant for sites using this plugin. The vulnerability was published on November 8, 2025, and no patches are currently linked, indicating that users must rely on mitigation until an official fix is released.

The vulnerability enables attackers with administrator access to delete arbitrary files on the web server hosting the WordPress site. This can lead to severe consequences including site downtime, loss of critical configuration files, and potential remote code execution if attackers manage to delete or replace files that control site behavior. The integrity and availability of the affected WordPress installations are at risk. Organizations relying on WPFunnels for marketing and sales funnel management could face operational disruptions, reputational damage, and potential data loss. Since the exploit requires administrator privileges, the impact is somewhat mitigated by the need for prior compromise or insider threat. However, once exploited, the attacker gains significant control over the server environment, which could be leveraged for further attacks or lateral movement within the network.

1. Restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator activities and file system changes, especially deletions of critical files like wp-config.php. 3. Implement file integrity monitoring solutions to detect unauthorized file deletions or modifications promptly. 4. Until an official patch is released, consider disabling or uninstalling the WPFunnels plugin if it is not essential. 5. Use web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the wpfnl_delete_log() function or unusual file deletion attempts. 6. Regularly back up WordPress site files and databases to enable quick restoration in case of file deletion or site compromise. 7. Follow vendor announcements closely and apply security patches immediately once available. 8. Limit plugin capabilities by using WordPress role management plugins to ensure only necessary users have administrator privileges.