CVE-2026-39450: WordPress FunnelKit Automations plugin <= 3.7.3 - Broken Authentication vulnerability
Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken authentication vulnerability in the FunnelKit Automations WordPress plugin (versions 3.7.3 and earlier). It is reachable over the network and requires only a low-privilege account such as a subscriber, with no victim interaction needed. Successful exploitation lets an attacker disrupt service availability and make limited unauthorized modifications to data. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle FunnelKit Automations.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.1 (HIGH) and weighting it against each customer environment's compliance policy before routing the alert to the appropriate team inbox within that organization.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
- AuthenticationRequired
A low-privilege account (such as a subscriber-level WordPress user) is sufficient to trigger this vulnerability; no admin credentials are needed.
- Victim interactionNot required
No user action or social engineering is required; the attacker can exploit the flaw directly without any victim involvement.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environment-specific setup.
Blast Radius
- Crashes or hangs the affected WordPress service, causing outage for users of the site.
- Makes limited unauthorized writes or modifications to application data accessible through the vulnerable authentication path.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all customer images containing FunnelKit Automations 3.7.3 or earlier. Because no vendor-supplied fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment an upstream fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads automatically. In the interim, recommended compensating controls include restricting subscriber-role registration on affected WordPress installations, applying network-policy rules to limit external access to the WordPress admin surface, and using a web application firewall rule to block requests that match the vulnerable authentication flow. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations as inline annotations on the affected image findings.
- Aman / FunnelKit Automations≤ 3.7.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H