CVE-2025-12468

EPSS 0.32%
Veröffentlicht 05.11.2025 09:27:39
Zuletzt bearbeitet 04.12.2025 14:01:37
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure

The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is due to the endpoint being marked as a public API (`public_api = true`), which results in the endpoint being registered with `permission_callback => '__return_true'`, bypassing all authentication and capability checks. This makes it possible for unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status.

Mögliche Gegenmaßnahme

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce: Update to version 3.6.4.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Funnelkit ≫ Funnelkit Automations SwPlatformwordpress Version < 3.6.4.2

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

Version *-3.6.4.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.237

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2a2032-3d39-4195-8e6c-ab884164721a?source=cve

Third Party Advisory

https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/api/wc/class-bwfan-api-wc-coupons.php#L19

Product

https://plugins.trac.wordpress.org/browser/wp-marketing-automations/trunk/includes/class-bwfan-api-loader.php#L119

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2a2032-3d39-4195-8e6c-ab884164721a

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-12468

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-12468

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-12468

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-12468