CVE-2025-12469 is a Missing Authorization vulnerability (CWE-862) found in the FunnelKit Automations – Email Marketing Automation and CRM plugin for WordPress and WooCommerce, affecting all versions up to 3.6.4.1. The vulnerability exists because the plugin fails to properly verify that a user is authorized to perform administrative actions within the bwfan_test_email AJAX handler. Specifically, the nonce used for verification is exposed publicly via frontend JavaScript localization, making it accessible to all visitors, including unauthenticated users. The check_nonce() function accepts this nonce from low-privilege authenticated users (Subscriber-level and above), allowing them to bypass intended authorization controls. As a result, an attacker with minimal privileges can send arbitrary emails from the site, controlling both the subject and body content. This can be exploited to conduct phishing attacks, spam distribution, or reputation damage by sending malicious or misleading emails appearing to originate from the legitimate domain. The vulnerability does not impact confidentiality or availability directly but compromises the integrity of outbound email communications. The CVSS v3.1 score is 4.3 (medium), reflecting network attack vector, low complexity, low privileges required, no user interaction, and limited impact on integrity only. No patches or known exploits are currently reported, but the public exposure of the nonce and low privilege requirement make exploitation feasible. The plugin is widely used in WordPress e-commerce and marketing contexts, increasing the attack surface for organizations using it.

For European organizations, this vulnerability poses a risk primarily to the integrity of their email communications. Attackers could leverage the flaw to send phishing emails or spam that appear to come from trusted corporate domains, potentially leading to credential theft, malware infections, or reputational damage. This can undermine customer trust and lead to regulatory scrutiny under GDPR if personal data is compromised via phishing. Organizations relying on WordPress and WooCommerce with FunnelKit Automations installed are at risk, especially e-commerce, marketing agencies, and SMEs that use the plugin for customer engagement. The ability for low-privilege users to abuse email functionality could also facilitate internal misuse or lateral movement if subscriber accounts are compromised. While the vulnerability does not directly impact system availability or confidentiality, the indirect consequences of successful phishing campaigns and brand damage can be significant. European entities with strict email security policies and compliance requirements should consider this a moderate threat requiring timely remediation.

1. Immediately update the FunnelKit Automations plugin to a patched version once available; monitor vendor announcements for patches. 2. In the interim, restrict access to the bwfan_test_email AJAX handler by implementing custom access controls or disabling the feature if not essential. 3. Remove or obfuscate the nonce exposure in frontend JavaScript localization to prevent unauthorized users from obtaining it. 4. Harden WordPress user roles by minimizing the number of users with Subscriber-level or higher privileges and auditing user accounts regularly. 5. Implement email authentication standards such as SPF, DKIM, and DMARC to reduce the impact of spoofed emails sent via this vulnerability. 6. Monitor outbound email logs for unusual or unauthorized email sending activity originating from the site. 7. Educate users and administrators about the risk of phishing emails that may appear to come from internal sources. 8. Consider deploying web application firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting the AJAX handler. 9. Regularly review and update WordPress and plugin security configurations to minimize attack surface.