CVE-2025-2203: 
WordPress vulnerability analysis and mitigation

The FunnelKit WordPress plugin before version 3.10.2 contains a SQL injection vulnerability identified as CVE-2025-2203. The vulnerability was discovered on January 8, 2025, and affects the WooCommerce Checkout & Funnel Builder functionality. The issue stems from inadequate parameter sanitization and escaping in SQL statements, potentially exposing the system to SQL injection attacks when accessed by users with administrative privileges (WPScan).

The vulnerability exists due to improper sanitization and escaping of parameters in SQL statements. It has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (Wiz, WPScan).

The vulnerability allows administrators to perform SQL injection attacks against the affected WordPress installation. While the impact is somewhat limited by the requirement of administrative access, successful exploitation could lead to unauthorized database access and potential manipulation of stored data (Wiz).

The vulnerability has been patched in FunnelKit version 3.10.2. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (Wiz).