CVE-2025-12469: 
WordPress vulnerability analysis and mitigation

The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin is vulnerable to Missing Authorization in versions up to 3.6.4.1. This vulnerability was discovered and disclosed on November 5, 2025, and is tracked as CVE-2025-12469 (NVD).

The vulnerability stems from improper authorization verification in the bwfan_test_email AJAX handler. The security issue arises because the nonce used for verification is publicly exposed to all visitors through frontend JavaScript localization, and the check_nonce() function accepts low-privilege authenticated users who possess this nonce. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to send arbitrary emails from the affected WordPress site. The attacker can control both the subject and body content of these emails (NVD).

The vulnerability has been patched in version 3.6.4.2 of the FunnelKit Automations plugin. Users are advised to update to this version or later to protect against this security issue (WordPress Plugin).