How to fix CVE-2025-1562?

Within 24 hours: Identify all WordPress instances using FunnelKit and verify current plugin version. Within 7 days: Update FunnelKit to version 3.5.4 or later on all affected sites; if immediate patching is impossible, disable the plugin entirely. Within 30 days: Audit installed plugins for unauthorized additions, review access logs for suspicious activity, and implement Web Application Firewall rules to block exploitation attempts.

Is PHP affected by CVE-2025-1562?

Any WordPress site using the FunnelKit plugin (versions up to 3.5.3) is at critical risk of complete compromise, as unauthenticated attackers can install malicious plugins without authorization.

CVE-2025-1562

EUVD-2025-18629 CRITICAL

2025-06-18 [email protected]

WordPress Authentication Bypass PHP RCE Funnelkit Automations

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 22:49 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 22:49 euvd

EUVD-2025-18629

Patch Released

Mar 14, 2026 - 22:49 nvd

Patch available

CVE Published

Jun 18, 2025 - 08:15 nvd

CRITICAL 9.8

DescriptionNVD

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.

AnalysisAI

The FunnelKit plugin for WordPress (versions ≤3.5.3) contains a critical vulnerability allowing unauthenticated attackers to install arbitrary plugins due to missing capability checks and weak nonce validation in the install_or_activate_addon_plugins() function. This is a pre-authentication remote code execution vector with a CVSS 9.8 severity rating that enables complete site compromise through malicious plugin installation.

Technical ContextAI

The vulnerability stems from two distinct security flaws in the FunnelKit WordPress plugin's addon management system: (1) CWE-862 (Missing Authorization) - the install_or_activate_addon_plugins() function fails to validate user capabilities before processing plugin installation requests, and (2) weak nonce hash implementation that fails to provide adequate CSRF protection. WordPress plugins rely on the capabilities system (wp_current_user_can()) and cryptographic nonces to prevent unauthorized actions. The plugin's failure to implement these controls allows direct API/AJAX endpoint access without authentication. The affected product is specifically the 'Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit' plugin for WordPress, impacting all versions through 3.5.3. The vulnerability chain involves AJAX/REST endpoints exposed without authentication checks combined with insufficient request validation.

CVE-2025-1562 vulnerability details – vuln.today

Back

CVE-2025-1562

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Share

External POC / Exploit Code