Description
The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is due to the endpoint being marked as a public API (`public_api = true`), which results in the endpoint being registered with `permission_callback => '__return_true'`, bypassing all authentication and capability checks. This makes it possible for unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status.
Published: 2025-11-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The FunnelKit Automations plugin for WordPress and WooCommerce is vulnerable to a sensitive information exposure flaw. The '/wc-coupons/' REST API endpoint is registered as a public API and configured with a permission callback that always returns true. This bypasses all authentication and capability checks, allowing any unauthenticated user to retrieve detailed coupon information, including coupon codes, identifiers, and expiration status. The vulnerability maps to CWE-200 and directly compromises the confidentiality of merchant data.

Affected Systems

All installations of FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce up to and including version 3.6.4.1 are affected. Sites running any of these versions with the default REST endpoint configuration are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. However, the attack vector is remote, unauthenticated, and requires only a simple HTTP request to the public endpoint. A malicious actor could obtain sensitive coupon data without any user interaction, which could facilitate forgery or other downstream attacks. Prompt remediation is recommended to mitigate the potential confidentiality impact.

Generated by OpenCVE AI on April 22, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FunnelKit Automations to the latest available version, which removes the insecure public API registration.
  • Ensure that the '/wc-coupons/' endpoint is no longer publicly accessible by testing with an unauthenticated request or by checking the plugin's REST API configuration.
  • If a custom or legacy installation requires the endpoint, replace the permission_callback with a proper authentication check or disable the endpoint entirely.

Generated by OpenCVE AI on April 22, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:*

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Funnelkit
Funnelkit funnelkit Automations
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Funnelkit
Funnelkit funnelkit Automations
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is due to the endpoint being marked as a public API (`public_api = true`), which results in the endpoint being registered with `permission_callback => '__return_true'`, bypassing all authentication and capability checks. This makes it possible for unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status.
Title FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Funnelkit Funnelkit Automations
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:33.889Z

Reserved: 2025-10-29T15:28:51.567Z

Link: CVE-2025-12468

cve-icon Vulnrichment

Updated: 2025-11-05T15:43:47.467Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-05T10:15:35.463

Modified: 2025-12-04T14:01:37.227

Link: CVE-2025-12468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:30:27Z

Weaknesses