Funnelkit Automations
Monthly
Broken authentication in the FunnelKit Automations WordPress plugin (versions <= 3.7.3) allows authenticated low-privilege users (subscribers) to bypass intended authentication controls, leading to integrity tampering and availability impact on the WordPress site. The flaw is reported by Patchstack and tracked as EUVD-2026-36929, with no public exploit identified at time of analysis and no CISA KEV listing. Given subscriber-level registration is open on many WordPress sites, the practical attack surface is broader than the CVSS 7.1 score alone suggests.
The FunnelKit Automations - Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
The FunnelKit Automations - Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The FunnelKit plugin for WordPress (versions ≤3.5.3) contains a critical vulnerability allowing unauthenticated attackers to install arbitrary plugins due to missing capability checks and weak nonce validation in the install_or_activate_addon_plugins() function. This is a pre-authentication remote code execution vector with a CVSS 9.8 severity rating that enables complete site compromise through malicious plugin installation.
Broken authentication in the FunnelKit Automations WordPress plugin (versions <= 3.7.3) allows authenticated low-privilege users (subscribers) to bypass intended authentication controls, leading to integrity tampering and availability impact on the WordPress site. The flaw is reported by Patchstack and tracked as EUVD-2026-36929, with no public exploit identified at time of analysis and no CISA KEV listing. Given subscriber-level registration is open on many WordPress sites, the practical attack surface is broader than the CVSS 7.1 score alone suggests.
The FunnelKit Automations - Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
The FunnelKit Automations - Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The FunnelKit plugin for WordPress (versions ≤3.5.3) contains a critical vulnerability allowing unauthenticated attackers to install arbitrary plugins due to missing capability checks and weak nonce validation in the install_or_activate_addon_plugins() function. This is a pre-authentication remote code execution vector with a CVSS 9.8 severity rating that enables complete site compromise through malicious plugin installation.