CVE-2025-12353

MEDIUM 5.3

WPFunnels <= 3.6.2 - Unauthorized User Registration

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.

CWE	CWE-639
Vendor	getwpfunnels
Product	wpfunnels – funnel builder for woocommerce with checkout & one click upsell
Published	Nov 8, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for getwpfunnels wpfunnels – funnel builder for woocommerce with checkout & one click upsell

Be the first to know when new medium vulnerabilities affecting getwpfunnels wpfunnels – funnel builder for woocommerce with checkout & one click upsell are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

getwpfunnels / WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell

0 ≤ 3.6.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4e376c96-47a8-419f-ab45-f7c46510c767?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3389604/wpfunnels/trunk/public/class-wpfnl-public.php

Credits

Ahmed Rayen Ayari