CVE-2025-14169
Time-Based Blind SQL Injection in FunnelKit WooCommerce Plugin
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| funnelkit | funnel_builder_for_woocommerce_checkout | 3.13.1.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a time-based blind SQL Injection in the FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress. It occurs via the 'opid' parameter in all versions up to 3.13.1.5. The issue arises because the plugin does not properly escape user-supplied input and does not sufficiently prepare the SQL query, allowing unauthenticated attackers to append additional SQL queries. This can be exploited to extract sensitive information from the database.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can extract sensitive information from the database without authentication. This could lead to data breaches, exposure of confidential information, and potential compromise of the affected system's data integrity and confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform time-based blind SQL Injection via the 'opid' parameter, enabling extraction of sensitive information from the database. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, exploitation of this vulnerability may result in violations of these standards due to potential data breaches. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a time-based blind SQL Injection via the 'opid' parameter. Detection can be attempted by sending specially crafted HTTP requests to the vulnerable endpoint with the 'opid' parameter containing SQL payloads that cause time delays, then measuring response times to infer injection. For example, using curl to send requests with payloads like "opid=1' AND SLEEP(5)--" and observing if the response is delayed. Additionally, monitoring web server logs for unusual or suspicious 'opid' parameter values or unexpected delays can help detect exploitation attempts. Specific commands could be: curl -i "http://targetsite.com/?opid=1' AND SLEEP(5)--" curl -i "http://targetsite.com/?opid=1' OR IF(1=1,SLEEP(5),0)--" Note: Replace "http://targetsite.com/" with the actual target URL. These commands test for time delays indicative of SQL injection. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the FunnelKit - Funnel Builder for WooCommerce Checkout plugin to a version later than 3.13.1.5 where the vulnerability is fixed, as indicated by the extensive code changes in the update. If updating is not immediately possible, restrict access to the vulnerable endpoints, implement web application firewall (WAF) rules to block suspicious 'opid' parameter inputs, and monitor logs for exploitation attempts. Additionally, review and apply security best practices such as input validation and prepared statements in custom code. The plugin update includes nonce verification and improved escaping to prevent SQL injection. [1]