WPFunnels < 3.6.3 – Unauthorized User Registration | CVE 2025-12353 | Plugin Vulnerabilities

Description

The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.

Affects Plugins

Fixed in 3.6.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4e376c96-47a8-419f-ab45-f7c46510c767

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ahmed Rayen Ayari

Verified

No

WPVDB ID

26a65db6-5c6f-4d78-84bc-93f0acf8763b

Timeline

Publicly Published

2025-11-07 (about 6 months ago)

Added

2025-11-07 (about 6 months ago)

Last Updated

2025-11-08 (about 6 months ago)

Other

Published

Title

Published

2025-12-25

Title

wpDiscuz < 7.6.44 - Unauthenticated Insecure Direct Object Reference

Published

2025-11-24

Title

Admin and Customer Messages After Order for WooCommerce: OrderConvo < 15 - Missing Authorization to Unauthenticated Information Disclosure

Published

2025-02-06

Title

Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 - Authenticated (Contributor+) Post Disclosure

Published

2024-09-24

Title

REST API TO MiniProgram < 4.7.6 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover

Published

2022-02-14

Title

UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override