CVE-2025-12468

Name of the Vulnerable Software and Affected Versions FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce versions up to and including 3.6.4.1

Description The software contains a flaw that allows unauthenticated attackers to extract sensitive data, including WooCommerce coupon codes, coupon IDs, and expiration status. This is due to the '/wc-coupons/' REST API endpoint being configured as a public API (public api = true) and bypassing authentication checks via permission callback => ' return true'.

Recommendations Versions prior to 3.6.4.1 should be updated. As a temporary workaround, restrict access to the /wc-coupons/ API endpoint.