CVE-2025-12468
📋 TL;DR
This vulnerability allows unauthenticated attackers to access all WooCommerce coupon codes, IDs, and expiration status through a misconfigured REST API endpoint in the FunnelKit Automations WordPress plugin. Any WordPress site using the vulnerable plugin version is affected, potentially exposing sensitive promotional data.
💻 Affected Systems
- FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all active coupon codes, leading to revenue loss through unauthorized discounts, or use coupon IDs for further attacks on the WooCommerce system.
Likely Case
Unauthorized users extract coupon data for personal use or resale, causing financial loss through coupon abuse and undermining marketing campaigns.
If Mitigated
With proper authentication controls, only authorized users can access coupon data, preventing information exposure.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.6.4.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/api/wc/class-bwfan-api-wc-coupons.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'FunnelKit Automations' and check for updates. 4. Update to version 3.6.4.2 or newer. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Block vulnerable REST endpoint
linuxAdd .htaccess rule to block access to the vulnerable API endpoint
RewriteEngine On
RewriteRule ^wp-json/funnelkit-automations/wc-coupons - [F,L]
Disable plugin temporarily
allDeactivate FunnelKit Automations plugin until patched
wp plugin deactivate wp-marketing-automations
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /wp-json/funnelkit-automations/wc-coupons
- Restrict access to WordPress REST API endpoints using authentication middleware or IP whitelisting
🔍 How to Verify
Check if Vulnerable:
Send GET request to https://[your-site]/wp-json/funnelkit-automations/wc-coupons. If it returns coupon data without authentication, the site is vulnerable.Check Version:
wp plugin get wp-marketing-automations --field=versionVerify Fix Applied:
After updating, attempt the same GET request. It should return 401 Unauthorized or no coupon data.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /wp-json/funnelkit-automations/wc-coupons from unauthenticated users
- Unusual coupon usage patterns in WooCommerce logs
Network Indicators:
- HTTP 200 responses to /wp-json/funnelkit-automations/wc-coupons without authentication headers
- Burst of requests to coupon API endpoint
SIEM Query:
source="web_logs" AND uri_path="/wp-json/funnelkit-automations/wc-coupons" AND http_method="GET" AND NOT auth_token=*🔗 References
- https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/api/wc/class-bwfan-api-wc-coupons.php#L19
- https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-api-loader.php#L119
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2a2032-3d39-4195-8e6c-ab884164721a?source=cve
