CVE-2025-2186

CVE-2025-2186 is a SQL injection vulnerability in the Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress. It affects all versions up to and including 3.5.1 and stems from insufficient escaping of the user-supplied 'automationId' parameter combined with inadequate preparation of the underlying SQL query. This flaw, classified under CWE-89, has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. By appending malicious SQL queries to existing ones via the 'automationId' parameter, they can extract sensitive information from the database, such as user data, orders, or other confidential records hosted by the WordPress site.

Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, point to mitigation through patching. A fix is available in changeset 3257474, which addresses the issue in the affected API endpoint file (class-bwfan-api-get-automation-dynamic-coupon.php at line 50). Security practitioners should update the plugin beyond version 3.5.1 and review database access logs for signs of exploitation.