CVE-2025-12468: 
WordPress vulnerability analysis and mitigation

The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin is vulnerable to Sensitive Information Exposure in versions up to 3.6.4.1. This vulnerability was discovered and reported by Wordfence, with the assigned identifier CVE-2025-12468. The vulnerability was disclosed on November 5, 2025 (NVD).

The vulnerability exists in the '/wc-coupons/' REST API endpoint, which is incorrectly configured as a public API with 'publicapi = true'. This configuration results in the endpoint being registered with 'permissioncallback => '_returntrue'', effectively bypassing all authentication and capability checks. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status. This exposure of sensitive information could potentially lead to unauthorized use of coupon codes and financial impact for the affected businesses (NVD).

Users of the FunnelKit Automations plugin should immediately update to a version newer than 3.6.4.1 if available. Until an update is applied, it is recommended to implement additional access controls at the web server level to restrict access to the vulnerable endpoint (NVD).