CVE-2025-12468 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the FunnelKit Automations – Email Marketing Automation and CRM plugin for WordPress and WooCommerce. The flaw exists because the REST API endpoint '/wc-coupons/' is marked as a public API with the parameter `public_api = true`. Consequently, the endpoint is registered with a permission callback set to `__return_true`, effectively bypassing all authentication and capability checks. This misconfiguration allows any unauthenticated attacker to query the endpoint and retrieve sensitive data related to WooCommerce coupons, including coupon codes, coupon IDs, and their expiration statuses. Since coupon codes often represent financial discounts or promotional offers, their exposure can lead to unauthorized usage, financial losses, and erosion of customer trust. The vulnerability affects all versions of the plugin up to and including 3.6.4.1. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. There are no known exploits currently active in the wild. The vulnerability was publicly disclosed on November 5, 2025, and no official patches have been linked yet. The root cause is a design and configuration error in the REST API permission model, which should enforce authentication and authorization checks before exposing sensitive coupon data.

For European organizations, especially those operating e-commerce platforms using WooCommerce and the FunnelKit Automations plugin, this vulnerability poses a risk of unauthorized disclosure of coupon codes and related metadata. Attackers could leverage exposed coupon codes to fraudulently obtain discounts, leading to direct financial losses and potential revenue leakage. Additionally, the exposure of coupon expiration data could allow attackers to prioritize exploitation of valid coupons. This may also damage brand reputation and customer trust if customers become aware of security weaknesses. Since the vulnerability requires no authentication or user interaction, exploitation can be automated and scaled, increasing the risk of widespread abuse. Organizations that rely heavily on promotional campaigns and loyalty programs are particularly vulnerable. The impact on confidentiality is moderate, while integrity and availability are not affected. The vulnerability does not directly compromise customer personal data but indirectly affects business operations and financial integrity.

1. Immediately restrict access to the '/wc-coupons/' REST API endpoint by implementing authentication and authorization checks, ensuring only authorized users or systems can query coupon data. 2. If possible, disable the public API flag (`public_api = true`) for this endpoint or remove the endpoint entirely if not required. 3. Monitor WooCommerce coupon usage logs for unusual or excessive redemption patterns that may indicate abuse. 4. Implement rate limiting on REST API endpoints to reduce the risk of automated scraping. 5. Keep the FunnelKit Automations plugin updated; apply patches promptly once the vendor releases a fix. 6. Consider temporarily disabling the FunnelKit Automations plugin if coupon data exposure poses a significant risk and no patch is available. 7. Educate marketing and e-commerce teams about the risk and encourage reviewing coupon policies to limit potential damage, such as setting stricter coupon usage limits or expiration dates. 8. Conduct regular security audits of WordPress plugins and REST API configurations to detect similar misconfigurations early.