CVE-2025-12468 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the FunnelKit Automations – Email Marketing Automation and CRM plugin for WordPress and WooCommerce. The root cause lies in the '/wc-coupons/' REST API endpoint being marked as a public API with the 'public_api = true' flag, which results in the endpoint being registered with a permission callback that always returns true ('__return_true'). This configuration bypasses all authentication and capability checks, allowing any unauthenticated user to access the endpoint. As a result, attackers can retrieve sensitive data including all coupon codes, coupon IDs, and their expiration statuses. Since coupons often represent financial discounts or promotions, unauthorized access can lead to misuse or fraudulent transactions. The vulnerability affects all versions up to and including 3.6.4.1 of the plugin. The CVSS v3.1 base score is 5.3, indicating a medium severity level due to network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality. No integrity or availability impacts are noted. There are no known exploits in the wild at the time of publication. The vulnerability was assigned and published by Wordfence in late 2025. No official patches are linked yet, so mitigation relies on configuration changes or plugin updates once available.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive coupon information from WooCommerce stores using the FunnelKit Automations plugin. Attackers can harvest all active and expired coupon codes along with their metadata, enabling them to exploit discounts fraudulently or gain insights into marketing strategies. This can lead to direct financial losses for e-commerce businesses through unauthorized coupon redemptions. Additionally, exposure of coupon data may erode customer trust and damage brand reputation. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have significant business consequences. Organizations relying on WooCommerce and this plugin for marketing automation are at risk, especially those with high transaction volumes or valuable promotional campaigns. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting by attackers. Although no availability or integrity impacts are reported, the confidentiality breach is sufficient to warrant prompt remediation.

To mitigate this vulnerability, organizations should immediately audit and restrict access to the '/wc-coupons/' REST API endpoint. This can be done by implementing custom permission callbacks that enforce authentication and capability checks, ensuring only authorized users or systems can access coupon data. Until an official patch is released, consider disabling the FunnelKit Automations plugin if coupon data exposure poses a significant risk. Monitor web server and application logs for unusual access patterns to the '/wc-coupons/' endpoint, such as repeated unauthenticated requests. Employ Web Application Firewalls (WAFs) to block or rate-limit suspicious API requests targeting this endpoint. Keep the WordPress core, WooCommerce, and all plugins updated to their latest versions, and apply the official patch from the vendor as soon as it becomes available. Additionally, review and rotate coupon codes if exposure is suspected to minimize potential abuse. Educate development and security teams about secure REST API configurations to prevent similar issues in the future.