CVE-2025-2186 Overview
CVE-2025-2186 is a SQL injection vulnerability in the Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress. The flaw affects all versions up to and including 3.5.1. The vulnerability resides in the automationId parameter, where insufficient escaping and missing query preparation allow attackers to append arbitrary SQL to existing queries. Unauthenticated attackers can exploit this issue over the network to extract sensitive data from the WordPress database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents, including user credentials, session tokens, and customer order data, from affected WooCommerce stores.
Affected Products
- Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit (WordPress plugin)
- All versions up to and including 3.5.1
- Plugin slug: wp-marketing-automations
Discovery Timeline
- 2025-03-22 - CVE-2025-2186 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2186
Vulnerability Analysis
The vulnerability exists in the plugin's REST API handler for retrieving dynamic coupons, specifically in class-bwfan-api-get-automation-dynamic-coupon.php. The endpoint accepts an automationId parameter from the request and incorporates it directly into a SQL query without proper sanitization or use of prepared statements. Because the parameter is concatenated into the query string, attackers can break out of the intended query context and append additional SQL syntax. The WordPress $wpdb API exposes prepare() for parameterized queries, but the affected code path bypasses this safeguard. Attackers can leverage UNION-based or time-based blind injection techniques to exfiltrate data from any table, including wp_users and plugin-specific tables containing customer contact details.
Root Cause
The root cause is insufficient escaping of user-supplied input combined with the absence of $wpdb->prepare() parameter binding on the SQL query that consumes the automationId value. Input validation does not enforce a strict numeric type before the parameter reaches the query builder.
Attack Vector
Exploitation requires no authentication and can be performed remotely over HTTP. An attacker sends a crafted request to the vulnerable REST endpoint with malicious SQL payload appended to the automationId parameter. Successful exploitation results in disclosure of arbitrary database contents but does not directly modify data or impact availability, consistent with the impact profile of this issue.
Refer to the WordPress Plugin Code Snippet for the vulnerable code location and the WordPress Changeset Update for the corrective patch diff.
Detection Methods for CVE-2025-2186
Indicators of Compromise
- HTTP requests to plugin REST endpoints containing SQL metacharacters such as UNION SELECT, SLEEP(, BENCHMARK(, or INFORMATION_SCHEMA in the automationId parameter.
- Anomalous outbound database query patterns from the WordPress host, including unusually large result sets returned by FunnelKit automation endpoints.
- Unexpected user accounts, password resets, or sessions created shortly after suspicious requests to wp-marketing-automations endpoints.
Detection Strategies
- Inspect web server access logs for non-numeric values supplied to the automationId query parameter or JSON field.
- Deploy web application firewall (WAF) rules that flag SQL injection signatures targeting WordPress REST routes under /wp-json/.
- Correlate spikes in 200 OK responses with abnormally long response times, which can indicate time-based blind injection.
Monitoring Recommendations
- Enable MySQL general or slow query logging on staging to identify malformed queries originating from the plugin.
- Monitor for queries referencing INFORMATION_SCHEMA.TABLES or wp_users from the WordPress application user.
- Alert on file integrity changes to wp-content/plugins/wp-marketing-automations/ outside scheduled update windows.
How to Mitigate CVE-2025-2186
Immediate Actions Required
- Update the FunnelKit Recover WooCommerce Cart Abandonment plugin to the version released in changeset 3257474, which is the first release after 3.5.1.
- Audit WordPress user accounts, API keys, and customer records for unauthorized access or modification.
- Rotate database credentials, WordPress secret keys in wp-config.php, and administrator passwords if exploitation is suspected.
Patch Information
The vendor addressed the issue in the changeset published at WordPress Changeset 3257474. The fix introduces proper parameter preparation on the affected query. Additional vulnerability metadata is available in the Wordfence Vulnerability Report.
Workarounds
- Restrict access to the vulnerable REST endpoint at the web server or WAF layer until the patch is applied.
- Deploy a WAF rule rejecting requests where automationId contains non-digit characters.
- Disable the FunnelKit plugin temporarily if patching is not immediately feasible and the cart-recovery functionality is non-essential.
# Example nginx rule to block non-numeric automationId values
location ~* /wp-json/.*automation.* {
if ($arg_automationId !~ "^[0-9]+$") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
