CVE-2025-12469: 
WordPress vulnerability analysis and mitigation

The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin is affected by a Missing Authorization vulnerability (CVE-2025-12469) in versions up to and including 3.6.4.1. The vulnerability was discovered and reported on November 4, 2025, and received a CVSS v3.1 base score of 4.3 (Medium) (NVD).

The vulnerability stems from improper authorization verification in the bwfan_test_email AJAX handler. The security issue arises because the nonce used for verification is exposed to all visitors, including unauthenticated users, through frontend JavaScript localization. Additionally, the check_nonce() function accepts low-privilege authenticated users who possess this nonce. The vulnerability has been assigned CWE-862 (Missing Authorization) (NVD, Wordfence).

This vulnerability allows authenticated attackers with Subscriber-level access or higher to send arbitrary emails from the affected site. Attackers can control both the subject and body content of these emails, potentially leading to unauthorized email communications from the compromised website (NVD).

The vulnerability has been patched in version 3.6.4.2 of the FunnelKit Automations plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (Wordfence).