CVE-2026-39450 Overview
CVE-2026-39450 is a broken authentication vulnerability [CWE-288] affecting the FunnelKit Automations WordPress plugin (also known as wp-marketing-automations) in versions up to and including 3.7.3. The flaw allows an attacker holding only Subscriber-level credentials to bypass authentication checks within the plugin. Successful exploitation can compromise the integrity of plugin data and degrade the availability of WordPress sites that depend on FunnelKit Automations for marketing workflows. Patchstack published the advisory documenting the issue, which is exploitable over the network with low complexity and requires no user interaction.
Critical Impact
A logged-in Subscriber can bypass authentication checks in FunnelKit Automations <= 3.7.3, leading to integrity loss and high availability impact on affected WordPress installations.
Affected Products
- FunnelKit Automations WordPress plugin (wp-marketing-automations) versions <= 3.7.3
- WordPress sites that allow Subscriber-level account registration
- Marketing automation workflows configured through the FunnelKit plugin
Discovery Timeline
- 2026-06-15 - CVE-2026-39450 published to the National Vulnerability Database (NVD)
- 2026-06-17 - CVE record last modified in NVD
Technical Details for CVE-2026-39450
Vulnerability Analysis
The vulnerability is classified under [CWE-288], Authentication Bypass Using an Alternate Path or Channel. The FunnelKit Automations plugin exposes functionality that should be restricted to privileged users, but the authentication logic does not correctly verify the caller's role or capability. As a result, any authenticated WordPress user with the Subscriber role can reach protected functionality intended for administrators or shop managers.
The Patchstack advisory categorizes the impact as integrity loss and high availability impact, with no confidentiality impact. This pattern is consistent with an attacker triggering state-changing operations inside the plugin, such as modifying automation rules or disrupting queued tasks.
Root Cause
The root cause is missing or insufficient capability validation on plugin endpoints. The plugin appears to rely on authentication alone, treating any logged-in session as sufficient, instead of verifying the user's WordPress capability before processing privileged actions. Because Subscriber is the default role assigned to new users on many WordPress sites that allow open registration, the attack surface is broad.
Attack Vector
The attacker first obtains or registers a Subscriber account on a target WordPress site running FunnelKit Automations 3.7.3 or earlier. The attacker then authenticates and sends crafted requests directly to the plugin's exposed actions or REST routes. Because the plugin does not enforce a proper capability check, the requests are processed as if they originated from a privileged user, allowing modification of plugin state and disruption of automation services. Refer to the Patchstack Vulnerability Report for the underlying technical detail.
Detection Methods for CVE-2026-39450
Indicators of Compromise
- Unexpected modifications to FunnelKit automation rules, broadcasts, or contact lists not tied to administrator activity
- Plugin or site availability errors after requests from low-privilege user sessions
- Repeated authenticated requests to FunnelKit endpoints (admin-ajax.php actions or REST routes under the plugin namespace) from Subscriber accounts
Detection Strategies
- Review WordPress access logs for authenticated requests to FunnelKit Automations endpoints originating from accounts with the Subscriber role.
- Correlate plugin configuration changes in the WordPress database with the user ID and capability of the requesting account.
- Audit recently registered user accounts on sites that allow open registration and operate the affected plugin version.
Monitoring Recommendations
- Enable WordPress audit logging to capture role, capability, and endpoint metadata for every authenticated request.
- Alert on HTTP requests to plugin REST routes that return success status codes for users without administrative capabilities.
- Monitor for spikes in 4xx or 5xx responses from FunnelKit endpoints, which may indicate exploitation attempts probing for accessible actions.
How to Mitigate CVE-2026-39450
Immediate Actions Required
- Upgrade FunnelKit Automations to a version newer than 3.7.3 as soon as the vendor publishes a fixed release.
- Temporarily disable open user registration, or restrict the default new-user role away from Subscriber on sites that do not require public accounts.
- Audit existing Subscriber accounts and remove any that are not legitimately required.
Patch Information
The vulnerability affects FunnelKit Automations versions up to and including 3.7.3. Administrators should consult the Patchstack Vulnerability Report for the fixed version number and apply the update through the WordPress plugin manager or via WP-CLI.
Workarounds
- Deactivate the FunnelKit Automations plugin until a patched version is installed if upgrade is not immediately possible.
- Block requests to FunnelKit plugin endpoints at the web application firewall (WAF) for sessions whose authenticated role is Subscriber.
- Restrict access to wp-admin/admin-ajax.php and the plugin's REST namespace using server-level access controls where feasible.
# Update FunnelKit Automations using WP-CLI once a fixed version is available
wp plugin update wp-marketing-automations
# Verify installed version
wp plugin get wp-marketing-automations --field=version
# If patching is delayed, deactivate the plugin
wp plugin deactivate wp-marketing-automations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
