CVE-2025-12468
BaseFortify
Publication date: 2025-11-05
Last updated on: 2025-12-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| funnelkit | funnelkit_automations | to 3.6.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the FunnelKit Automations plugin for WordPress and WooCommerce, where a REST API endpoint ('/wc-coupons/') is incorrectly marked as public. This means it bypasses all authentication and permission checks, allowing unauthenticated attackers to access sensitive information such as all WooCommerce coupon codes, coupon IDs, and their expiration status.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to obtain sensitive coupon information without authentication. This could lead to unauthorized use or abuse of coupons, financial loss, and potential damage to business reputation due to exposure of sensitive marketing data.