CVE-2025-12353: CWE-639 Authorization Bypass Through User-Controlled Key in getwpfunnels WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.
AI Analysis
Technical Summary
CVE-2025-12353 is an authorization bypass vulnerability in the WPFunnels plugin for WordPress and WooCommerce. The plugin relies on a user-controllable key 'optin_allow_registration' to determine whether user registration is allowed, rather than enforcing the site-specific registration configuration. This design flaw permits unauthenticated attackers to create new user accounts despite user registration being disabled in the site settings. The vulnerability affects all versions up to and including 3.6.2. There is no vendor advisory or patch information currently available.
Potential Impact
An attacker can bypass the intended user registration restrictions and create unauthorized user accounts on the affected WordPress site. This could lead to unauthorized access or privilege escalation depending on the roles assigned to newly created accounts. The vulnerability does not directly impact confidentiality or availability but can lead to integrity issues by allowing unauthorized user creation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or restricting access to the WPFunnels plugin functionality or monitoring for suspicious user registrations. Avoid relying solely on the plugin's registration controls and consider additional access controls at the WordPress level.
CVE-2025-12353: CWE-639 Authorization Bypass Through User-Controlled Key in getwpfunnels WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
Description
The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-12353 is an authorization bypass vulnerability in the WPFunnels plugin for WordPress and WooCommerce. The plugin relies on a user-controllable key 'optin_allow_registration' to determine whether user registration is allowed, rather than enforcing the site-specific registration configuration. This design flaw permits unauthenticated attackers to create new user accounts despite user registration being disabled in the site settings. The vulnerability affects all versions up to and including 3.6.2. There is no vendor advisory or patch information currently available.
Potential Impact
An attacker can bypass the intended user registration restrictions and create unauthorized user accounts on the affected WordPress site. This could lead to unauthorized access or privilege escalation depending on the roles assigned to newly created accounts. The vulnerability does not directly impact confidentiality or availability but can lead to integrity issues by allowing unauthorized user creation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or restricting access to the WPFunnels plugin functionality or monitoring for suspicious user registrations. Avoid relying solely on the plugin's registration controls and consider additional access controls at the WordPress level.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-27T15:11:29.679Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690ebeb03a8fd010ecf64256
Added to database: 11/8/2025, 3:53:20 AM
Last enriched: 4/9/2026, 4:08:48 PM
Last updated: 5/10/2026, 8:40:18 AM
Views: 170
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.