vulnerability
WordPress Plugin: wp-marketing-automations: CVE-2025-12468: Exposure of Sensitive Information to an Unauthorized Actor
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Nov 4, 2025 | Nov 5, 2025 | Nov 6, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Nov 4, 2025
Added
Nov 5, 2025
Modified
Nov 6, 2025
Description
The FunnelKit Automations – Email Marketing Automation and CRM for WordPress and WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is due to the endpoint being marked as a public API (`public_api equal to true`), which results in the endpoint being registered with `permission_callback equal togreater than '__return_true'`, bypassing all authentication and capability checks. This makes it possible for unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status.
Solution
wp-marketing-automations-plugin-cve-2025-12468
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.