FunnelKit < 3.14.0.3 – Unauthenticated SQL Injection | CVE 2025-14169 | Plugin Vulnerabilities

Description

The plugin is vulnerable to time-based blind SQL Injection via the 'opid' parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The issue was initially fixed in 3.13.1.6 but re-introduced in 3.14.0

Affects Plugins

Fixed in 3.14.0.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/fb19f920-0fd0-491e-9e87-62c828cad9b9

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Marcin Dudek (dudekmar)

Verified

Yes

WPVDB ID

fff2ca0c-30b9-4a0d-b15f-3b35dede583a

Timeline

Publicly Published

2025-12-11 (about 5 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2026-05-30 (about 4 hours ago)

Other

Published

Title

Published

2014-08-01

Title

Search Everything 7.0.2 - search-everything.php s Parameter SQL Injection

Published

2025-01-31

Title

WP Travel < 10.1.4 - Author+ SQL Injection

Published

2025-03-21

Title

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit < 3.5.2 - Unauthenticated SQL Injection via 'automationId'

Published

2025-08-05

Title

FileBird – WordPress Media Library Folders & File Manager < 6.4.9 - Authenticated (Author+) SQL Injection

Published

2024-04-12

Title

BA Book Everything < 1.6.5 - Authenticated (Contributor+) SQL Injection