CVE-2025-1562: 
WordPress vulnerability analysis and mitigation

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation in versions up to and including 3.5.3. The vulnerability was discovered and disclosed on June 18, 2025 (NVD, Wiz).

The vulnerability exists due to insufficient security controls in two key areas: 1) The installoractivateaddonplugins() function lacks proper capability verification, and 2) The implementation uses a weak nonce hash for authentication. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows unauthenticated attackers to install arbitrary plugins on affected WordPress sites. This capability could be leveraged to further compromise the vulnerable site through malicious plugin installations, potentially leading to complete site takeover (NVD, Wiz).

Site administrators running affected versions of the FunnelKit plugin should update to a version newer than 3.5.3 as soon as possible. If immediate updating is not possible, consider disabling the plugin until an update can be applied (Wiz).