CVE-2026-39450

Vulnerability

The FunnelKit Automations plugin for WordPress (versions <= 3.7.3) contains a broken authentication vulnerability. This flaw allows a user with subscriber-level privileges to perform actions normally restricted to higher-privileged users. The vulnerability is present in the authentication mechanism of the plugin, enabling privilege escalation. [1]

Exploitation

An attacker needs only a subscriber account on the target WordPress site. No additional network position or user interaction is required beyond having the subscriber role. The attacker can exploit the broken authentication to execute actions that should require admin-level permissions, potentially leading to full administrative access. [1]

Impact

Successful exploitation allows the attacker to gain admin-level access to the WordPress site. This can lead to complete compromise of the website, including data theft, site defacement, malware injection, and further attacks on site visitors. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

The vulnerability is fixed in version 3.8.0 of the FunnelKit Automations plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied. Auto-update for vulnerable plugins can be enabled for Patchstack users. [1]