CVE-2024-9186 Scanner

FunnelKit Automation By Autonami is a WordPress plugin used primarily for automating marketing workflows. It integrates seamlessly with WooCommerce, enabling users to recover abandoned carts, send newsletters, and automate email marketing campaigns. This tool is widely adopted by online stores to streamline their marketing processes and boost sales efficiency.

The vulnerability involves an SQL Injection issue present in versions of FunnelKit Automation By Autonami before 3.3.0. The plugin fails to sanitize and escape the "bwfan-track-id" parameter, leading to the potential exploitation of this flaw by malicious actors. This allows attackers to craft SQL queries, thereby gaining unauthorized access to sensitive database information.

Exploitation occurs through the "bwfan-track-id" parameter. Malicious actors can inject crafted payloads to execute time-based SQL queries. The endpoint allows unauthenticated users to perform SQL commands that manipulate or exfiltrate database records without proper authorization or validation.

If successfully exploited, attackers could compromise the integrity and confidentiality of the application's data. It may lead to unauthorized data access, leakage of sensitive information, or in some cases, disruption of the affected service's database operations.

REFERENCES

• https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-ed5520260c26/
• https://nvd.nist.gov/vuln/detail/CVE-2024-9186