PT-2024-39476 · Funnelkit · Recover Woocommerce Cart Abandonment
Ery4Ng0615
+1
·
Published
2024-11-14
·
Updated
2025-05-15
·
CVE-2024-9186
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin versions prior to 3.3.0
Description
The issue allows unauthenticated users to perform SQL injection attacks due to the lack of sanitization and escaping of the
bwfan-track-id parameter before using it in a SQL statement.Recommendations
For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the SQL statement that uses the
bwfan-track-id parameter until a patch is available.
Avoid using the bwfan-track-id parameter in affected SQL statements until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Recover Woocommerce Cart Abandonment