cleantalk
Vulnerabilities and Security Researches

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit, CVE-2025-12468

CVE, Research URL

CVE-2025-12468

Home page URL

Security reports for Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Application

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Published on
Nov 05, 2025
Research Description
The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is due to the endpoint being marked as a public API (`public_api = true`), which results in the endpoint being registered with `permission_callback => '__return_true'`, bypassing all authentication and capability checks. This makes it possible for unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status.
Affected versions
max 3.6.4.2.
Status
vulnerable
Previous vulnerability researches
E2Pdf – Export To Pdf Tool for WordPress (CVE-2024-37415) , Jul 02, 2024
E2Pdf – Export To Pdf Tool for WordPress (CVE-2023-46154) , Jun 07, 2024
E2Pdf – Export To Pdf Tool for WordPress (CVE-2023-50849) , Jun 07, 2024
E2Pdf – Export To Pdf Tool for WordPress (CVE-2023-5229) , Jun 07, 2024
E2Pdf – Export To Pdf Tool for WordPress (CVE-2024-31373) , Jun 07, 2024
New vulnerability
Reloadly Plugin (CVE-2025-62956) , Nov 10, 2025
Shortcode Generator (CVE-2025-49945) , Nov 10, 2025
WP-Click-Tracker (CVE-2025-49954) , Nov 10, 2025
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy (CVE-2025-53425) , Nov 10, 2025
WPC Countdown Timer for WooCommerce (CVE-2025-49908) , Nov 10, 2025