FunnelKit WordPress plugin vulnerable to SQL injection attacks
CVE-2024-9186

Currently unrated

Key Information:

Vendor

Wordpress
Status
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By Funnelkit
Vendor
CVE Published:
14 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 21%

What is CVE-2024-9186?

The FunnelKit plugin for WordPress, specifically the WooCommerce Cart Abandonment, Newsletter, Email Marketing, and Marketing Automation functionality, is impacted by a SQL injection flaw. This vulnerability arises from the plugin's failure to properly sanitize and escape user input from the bwfan-track-id parameter before it is incorporated into SQL statements. As a result, malicious actors can exploit this issue to execute unauthorized SQL commands, potentially gaining unauthorized access to the database and compromising sensitive information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit 0 < 3.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9186 - Proof of Concept

References

https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-...
exploitvdb-entrytechnical-description

EPSS Score

21% chance of being exploited in the next 30 days.

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

y4ng0615
WPScan
JSON
.