CVE-2025-2186: 
WordPress vulnerability analysis and mitigation

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to SQL Injection via the 'automationId' parameter in versions up to 3.5.1. This vulnerability was discovered and disclosed on March 22, 2025, and affects the plugin's dynamic coupon functionality (NVD).

The vulnerability exists due to insufficient escaping of the user-supplied 'automationId' parameter and inadequate preparation of SQL queries. The affected component is located in the dynamic coupon generation functionality. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-exploitable vulnerability requiring no privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. This could result in unauthorized access to confidential data stored in the WordPress database (NVD).

The vulnerability has been patched in version 3.5.2 of the plugin. Users are strongly advised to update to this version or later to protect against potential attacks. The fix includes proper parameter sanitization and query preparation (WordPress Changeset).