CVE-2025-12469 is a missing authorization vulnerability (CWE-862) in the FunnelKit Automations – Email Marketing Automation and CRM plugin for WordPress and WooCommerce, affecting all versions up to 3.6.4.1. The vulnerability exists in the AJAX handler 'bwfan_test_email', which is designed to send test emails. The plugin uses a nonce for request verification; however, this nonce is publicly exposed in frontend JavaScript localization, making it accessible to all visitors, including unauthenticated users. Furthermore, the 'check_nonce()' function accepts this nonce from low-privilege authenticated users such as Subscribers, who normally should not have administrative capabilities. This improper authorization check allows these users to invoke the AJAX handler to send arbitrary emails with attacker-controlled subject and body content. The attack vector is remote and network-based, requiring only low-privilege authentication and no user interaction. The vulnerability does not impact confidentiality or availability directly but compromises integrity by enabling unauthorized email sending, which can be leveraged for phishing, spam, or social engineering attacks. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited scope and impact but ease of exploitation. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. Organizations using this plugin should be aware of the risk of abuse of their email systems and potential reputational harm.

For European organizations, this vulnerability can lead to unauthorized sending of emails from legitimate domains, undermining trust in corporate communications and potentially facilitating phishing or social engineering attacks targeting employees, customers, or partners. Attackers could leverage this to distribute malware, steal credentials, or conduct fraud. Since the plugin is widely used in WordPress and WooCommerce sites, especially in e-commerce and marketing sectors, the impact includes reputational damage, customer trust erosion, and possible regulatory scrutiny under GDPR if personal data is compromised via phishing. The vulnerability does not directly affect data confidentiality or system availability but compromises the integrity of email communications, which can have cascading effects on business operations and security posture. Organizations relying on FunnelKit Automations for email marketing or CRM functions should consider this a significant risk vector, especially if subscriber-level accounts are easily obtainable or if internal users are compromised.

Immediate mitigation steps include restricting access to the vulnerable AJAX handler by implementing server-side authorization checks that verify user roles properly, ensuring only administrators or trusted roles can invoke email-sending functions. Organizations should remove or obfuscate the nonce from frontend JavaScript localization to prevent exposure to unauthenticated users. Applying web application firewalls (WAF) rules to detect and block suspicious AJAX requests targeting 'bwfan_test_email' can provide temporary protection. Monitoring outgoing emails for unusual patterns or volumes can help detect exploitation attempts. Since no official patch is currently available, organizations should consider disabling the FunnelKit Automations plugin temporarily if email sending abuse is detected. Additionally, enforcing strong user account management to limit subscriber account creation and monitoring for compromised credentials reduces risk. Finally, organizations should stay alert for vendor updates or patches and apply them promptly once released.