CVE-2024-9186 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-9186?

CVE-2024-9186 has a CVSS score of 8.6 (HIGH). This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites using the FunnelKit plugin. Attackers can manipulate database queries through the unsanitized bwfan-track-id parameter. All WordPress sites running vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites using the FunnelKit plugin. Attackers can manipulate database queries through the unsanitized bwfan-track-id parameter. All WordPress sites running vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

FunnelKit (formerly WooFunnels) - WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation

Versions: All versions before 3.3.0

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin activated.

📦 What is this software?

Funnelkit Automations by Funnelkit

View all CVEs affecting Funnelkit Automations →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion; potential for full site takeover via privilege escalation or remote code execution.

🟠

Likely Case

Data exfiltration from WordPress database including user credentials, sensitive content, and plugin-specific data.

🟢

If Mitigated

Limited impact if proper WAF rules block SQL injection patterns or if database permissions are restricted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via bwfan-track-id parameter requires no authentication and has public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.0

Vendor Advisory: https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-ed5520260c26/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'FunnelKit' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.3.0+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block SQL injection patterns targeting the bwfan-track-id parameter

WAF-specific configuration required

Temporary Plugin Deactivation

linux

Disable the vulnerable plugin until patched

wp plugin deactivate funnelkit

🧯 If You Can't Patch

Implement strict WAF rules to block SQL injection patterns
Restrict database user permissions to SELECT only where possible

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → FunnelKit version number. If version is below 3.3.0, site is vulnerable.

Check Version:

wp plugin get funnelkit --field=version

Verify Fix Applied:

Confirm plugin version is 3.3.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
HTTP requests containing bwfan-track-id with SQL syntax

Network Indicators:

POST/GET requests to WordPress endpoints with SQL injection payloads in bwfan-track-id parameter

SIEM Query:

web.url:*bwfan-track-id* AND (web.query:*UNION* OR web.query:*SELECT* OR web.query:*INSERT* OR web.query:*UPDATE* OR web.query:*DELETE*)

📊 Metadata

CVE ID: CVE-2024-9186

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-89

Published: November 14, 2024

Last Updated: May 15, 2025

🔗 References

https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-ed5520260c26/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9186, you might also want to check these: