cleantalk
Vulnerabilities and Security Researches

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit, CVE-2025-12468

CVE, Research URL

CVE-2025-12468

Home page URL

Security reports for Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Application

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Published on
Nov 05, 2025
Research Description
The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is due to the endpoint being marked as a public API (`public_api = true`), which results in the endpoint being registered with `permission_callback => '__return_true'`, bypassing all authentication and capability checks. This makes it possible for unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status.
Affected versions
max 3.6.4.2.
Status
vulnerable
Previous vulnerability researches
Real Cookie Banner: GDPR & ePrivacy Cookie Consent (CVE-2025-1485) , Jun 04, 2025
Real Cookie Banner: GDPR & ePrivacy Cookie Consent (CVE-2025-12136) , Nov 09, 2025
Real Cookie Banner: GDPR & ePrivacy Cookie Consent (CVE-2022-4507) , Jun 07, 2024
Real Cookie Banner: GDPR & ePrivacy Cookie Consent (CVE-2022-0445) , Jun 07, 2024
New vulnerability
Microsoft Azure Storage for WordPress (CVE-2025-10749) , Nov 10, 2025
Reloadly Plugin (CVE-2025-62956) , Nov 10, 2025
Shortcode Generator (CVE-2025-49945) , Nov 10, 2025
WP-Click-Tracker (CVE-2025-49954) , Nov 10, 2025
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy (CVE-2025-53425) , Nov 10, 2025