CVE-2024-9186: 
WordPress vulnerability analysis and mitigation

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before version 3.3.0 contains a SQL injection vulnerability. The vulnerability was discovered and disclosed on November 14, 2024, and is tracked as CVE-2024-9186. The plugin fails to properly sanitize and escape the bwfan-track-id parameter before using it in SQL statements, affecting websites running vulnerable versions of the plugin (WPScan).

The vulnerability exists due to improper input validation of the bwfan-track-id parameter in SQL statements. The issue has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (SQL Injection) and can be exploited through at least two different attack vectors involving the bwfan-track-id parameter (CISA, WPScan).

The vulnerability allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations. This could potentially lead to unauthorized access to sensitive database information and compromise of the website's data integrity (WPScan).

The vulnerability has been patched in version 3.3.0 of the plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks. No alternative workarounds have been publicly disclosed (WPScan).