CVE-2025-49034

Vulnerability

Overview

The Funnel Builder by FunnelKit plugin for WordPress, versions 3.10.2 and earlier, contains an SQL injection vulnerability due to improper neutralization of special elements used in SQL commands [1]. This flaw allows an attacker to inject malicious SQL queries through user-supplied input that is not properly sanitized before being used in database operations.

Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker. By sending specially crafted requests, an attacker can manipulate SQL queries executed by the plugin. According to the advisory, such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation enables an attacker to directly interact with the underlying database. This could lead to unauthorized access to sensitive information, including user data, credentials, and other stored content. The CVSS v3 base score of 7.6 (High) reflects the potential for significant data compromise [1].

Mitigation

The vulnerability has been addressed in version 3.11.0 of the plugin. Users are strongly advised to update immediately. If updating is not possible, consulting with a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely patching [1].