What is the CVSS score of EUVD-2025-18629?

EUVD-2025-18629 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 16.1%.

Which versions of PHP are affected by EUVD-2025-18629?

Any WordPress site using the FunnelKit plugin (versions up to 3.5.3) is at critical risk of complete compromise, as unauthenticated attackers can install malicious plugins without authorization.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-18629?

Yes, a public proof-of-concept exploit is available for EUVD-2025-18629. Prioritise patching immediately. EPSS: 16.1%.

How to fix or mitigate EUVD-2025-18629?

Within 24 hours: Identify all WordPress instances using FunnelKit and verify current plugin version. Within 7 days: Update FunnelKit to version 3.5.4 or later on all affected sites; if immediate patching is impossible, disable the plugin entirely. Within 30 days: Audit installed plugins for unauthorized additions, review access logs for suspicious activity, and implement Web Application Firewall rules to block exploitation attempts.

PHP EUVD-2025-18629

| CVE-2025-1562 CRITICAL

Missing Authorization (CWE-862)

2025-06-18 security@wordfence.com

WordPress Authentication Bypass PHP RCE Funnelkit Automations

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:49 euvd

EUVD-2025-18629

Analysis Generated

Mar 14, 2026 - 22:49 vuln.today

Patch released

Mar 14, 2026 - 22:49 nvd

Patch available

CVE Published

Jun 18, 2025 - 08:15 nvd

CRITICAL 9.8

DescriptionCVE.org

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to install arbitrary plugins on the site that can be leveraged to further infect a vulnerable site.

AnalysisAI

The FunnelKit plugin for WordPress (versions ≤3.5.3) contains a critical vulnerability allowing unauthenticated attackers to install arbitrary plugins due to missing capability checks and weak nonce validation in the install_or_activate_addon_plugins() function. This is a pre-authentication remote code execution vector with a CVSS 9.8 severity rating that enables complete site compromise through malicious plugin installation.

Technical ContextAI

The vulnerability stems from two distinct security flaws in the FunnelKit WordPress plugin's addon management system: (1) CWE-862 (Missing Authorization) - the install_or_activate_addon_plugins() function fails to validate user capabilities before processing plugin installation requests, and (2) weak nonce hash implementation that fails to provide adequate CSRF protection. WordPress plugins rely on the capabilities system (wp_current_user_can()) and cryptographic nonces to prevent unauthorized actions. The plugin's failure to implement these controls allows direct API/AJAX endpoint access without authentication. The affected product is specifically the 'Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit' plugin for WordPress, impacting all versions through 3.5.3. The vulnerability chain involves AJAX/REST endpoints exposed without authentication checks combined with insufficient request validation.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

EUVD-2025-18629 vulnerability details – vuln.today

Back

PHP EUVD-2025-18629

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

More from same product – last 7 days

Share

External POC / Exploit Code