CVE-2025-2186
📋 TL;DR
This SQL injection vulnerability in the FunnelKit WooCommerce plugin allows unauthenticated attackers to inject malicious SQL queries through the 'automationId' parameter. Attackers can extract sensitive database information including user credentials, order details, and personal data. All WordPress sites using this plugin up to version 3.5.1 are affected.
💻 Affected Systems
- FunnelKit WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential site takeover via credential extraction.
Likely Case
Extraction of sensitive customer data (emails, addresses, order history) and potential injection of malicious payloads into the database.
If Mitigated
Limited information disclosure if database permissions are properly restricted and WAF blocks SQL injection patterns.
🎯 Exploit Status
Unauthenticated exploitation with simple parameter manipulation; no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.5.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3257474/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'FunnelKit WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation'. 4. Click 'Update Now' if available. 5. If no update appears, download version 3.5.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns targeting the automationId parameter
Plugin Deactivation
WordPressTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate wp-marketing-automations
🧯 If You Can't Patch
- Implement strict input validation for the automationId parameter to allow only numeric values
- Apply network segmentation to isolate the WordPress instance and restrict database access
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 3.5.1 or lower, system is vulnerable.Check Version:
wp plugin get wp-marketing-automations --field=versionVerify Fix Applied:
Verify plugin version is 3.5.2 or higher. Test the affected API endpoint with SQL injection payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple requests to /wp-json/bwfan/v1/get-automation-dynamic-coupon with non-numeric automationId values
- Database query patterns with UNION SELECT or other SQL injection signatures
Network Indicators:
- HTTP POST/GET requests to automation API endpoints with SQL payloads in parameters
- Unusual traffic spikes to the vulnerable endpoint
SIEM Query:
source="wordpress.log" AND ("automationId" AND ("UNION" OR "SELECT" OR "SLEEP" OR "BENCHMARK" OR "WAITFOR"))🔗 References
- https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/api/wc/class-bwfan-api-get-automation-dynamic-coupon.php#L50
- https://plugins.trac.wordpress.org/changeset/3257474/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/88f8fa25-e3d5-4dfd-aae5-68b5880ffd53?source=cve
