CVE-2025-12469 is a Missing Authorization vulnerability (CWE-862) found in the FunnelKit Automations – Email Marketing Automation and CRM plugin for WordPress and WooCommerce, affecting all versions up to 3.6.4.1. The vulnerability arises because the plugin fails to properly verify that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. Specifically, the nonce used for verification is exposed publicly via frontend JavaScript localization, making it accessible to all visitors, including unauthenticated users. The plugin's `check_nonce()` function accepts this nonce from low-privilege authenticated users (Subscriber role and above), allowing them to bypass intended authorization checks. Consequently, an attacker with a Subscriber-level account can invoke the AJAX handler to send arbitrary emails from the site with attacker-controlled subject lines and message bodies. This can be exploited to send phishing emails, spam, or malicious content appearing to originate from the legitimate website. The vulnerability does not require user interaction beyond authentication and does not impact confidentiality or availability directly but compromises integrity by enabling unauthorized email sending. The CVSS v3.1 base score is 4.3 (medium), reflecting network attack vector, low complexity, low privileges required, no user interaction, and limited impact on integrity only. No known exploits have been reported in the wild as of the publication date. The vulnerability was assigned by Wordfence and published on November 5, 2025.

This vulnerability allows low-privilege authenticated users to send arbitrary emails from the affected WordPress site, which can severely impact organizations relying on FunnelKit Automations for email marketing and CRM. Attackers could exploit this to conduct phishing campaigns, distribute malware, or damage the organization's reputation by sending fraudulent emails appearing to come from a trusted source. This could lead to loss of customer trust, potential legal liabilities, and blacklisting of the organization's email domains. While the vulnerability does not allow direct data theft or site takeover, the ability to send unauthorized emails undermines the integrity of communications and could facilitate further social engineering attacks. Organizations with many users having Subscriber or higher roles are at increased risk. The impact is particularly significant for e-commerce businesses and marketing teams that depend on the plugin for customer engagement. Since the vulnerability is exploitable remotely over the network without user interaction, it can be leveraged at scale if attackers gain low-level access. However, the lack of known exploits in the wild suggests limited active exploitation currently.

1. Update the FunnelKit Automations plugin to the latest version once a patch addressing CVE-2025-12469 is released by the vendor. 2. Until a patch is available, restrict user roles that can authenticate on the WordPress site, minimizing the number of users with Subscriber or higher privileges. 3. Implement strict role-based access control (RBAC) to limit who can access or invoke AJAX handlers related to email sending. 4. Use a Web Application Firewall (WAF) to monitor and block suspicious AJAX requests targeting the `bwfan_test_email` endpoint, especially those originating from low-privilege accounts. 5. Audit and monitor outgoing emails for unusual patterns, such as unexpected subject lines or content, to detect abuse early. 6. Disable or restrict the email testing functionality if it is not essential for business operations. 7. Educate users about phishing risks and encourage reporting of suspicious emails. 8. Review and harden nonce generation and verification mechanisms in custom plugins or themes to avoid exposing sensitive tokens publicly. 9. Regularly review user accounts and remove or downgrade unnecessary accounts with elevated privileges. 10. Employ multi-factor authentication (MFA) to reduce the risk of account compromise that could lead to exploitation.