FunnelKit WordPress plugin vulnerable to SQL injection attacks
CVE-2024-9186
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 14 November 2024
Badges
Summary
The FunnelKit plugin for WordPress, specifically the WooCommerce Cart Abandonment, Newsletter, Email Marketing, and Marketing Automation functionality, is impacted by a SQL injection flaw. This vulnerability arises from the plugin's failure to properly sanitize and escape user input from the bwfan-track-id parameter before it is incorporated into SQL statements. As a result, malicious actors can exploit this issue to execute unauthorized SQL commands, potentially gaining unauthorized access to the database and compromising sensitive information.
Affected Version(s)
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit 0 < 3.3.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved