CVE-2025-12468 identifies a sensitive information exposure vulnerability in the FunnelKit Automations – Email Marketing Automation and CRM plugin for WordPress and WooCommerce, affecting all versions up to 3.6.4.1. The root cause is the misconfiguration of the '/wc-coupons/' REST API endpoint, which is marked as a public API with 'public_api = true'. This results in the endpoint being registered with a permission callback set to '__return_true', effectively bypassing all authentication and capability checks. Consequently, any unauthenticated attacker can query this endpoint and retrieve sensitive data including all WooCommerce coupon codes, their unique IDs, and expiration statuses. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact confined to confidentiality. There is no impact on integrity or availability. No patches were linked at the time of publication, and no known exploits have been reported in the wild. This vulnerability could be exploited to gather promotional coupon data, potentially enabling fraudulent use of coupons, undermining marketing campaigns, or providing competitive intelligence. Since WooCommerce is widely used in e-commerce, especially in Europe, this vulnerability poses a notable risk to online retailers using this plugin for marketing automation.

For European organizations, the exposure of WooCommerce coupon codes and related data can lead to several adverse outcomes. Unauthorized access to coupon codes may allow attackers or competitors to exploit discounts fraudulently, causing financial losses and revenue leakage. It can also undermine customer trust if promotional campaigns are compromised. Additionally, the leakage of coupon metadata could reveal marketing strategies or campaign timelines, giving competitors an unfair advantage. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach can have reputational and operational impacts, especially for e-commerce businesses relying on WooCommerce and FunnelKit Automations. Given the widespread adoption of WooCommerce in Europe, particularly in countries with mature e-commerce markets, the risk is significant. Attackers could automate data harvesting at scale due to the lack of authentication, increasing the potential impact. This vulnerability also raises compliance concerns under GDPR, as exposure of business-sensitive data without authorization may be considered a data breach requiring notification and remediation.

Immediate mitigation steps include restricting access to the '/wc-coupons/' REST API endpoint by modifying the permission callback to enforce proper authentication and capability checks, ensuring only authorized users can access coupon data. Administrators should audit their FunnelKit Automations plugin version and upgrade to a patched release once available from the vendor. In the interim, disabling the vulnerable REST API endpoint via custom code or security plugins can reduce exposure. Implementing Web Application Firewall (WAF) rules to block unauthenticated requests to this endpoint is also recommended. Regularly monitoring access logs for unusual or repeated requests to '/wc-coupons/' can help detect exploitation attempts. Organizations should review their coupon usage policies and consider rotating or invalidating exposed coupons to mitigate fraud risk. Additionally, conducting a security review of all REST API endpoints for similar misconfigurations is prudent. Finally, ensure that all WordPress and WooCommerce components are kept up to date with security patches to minimize attack surface.