cbcvebase.
CVE-2024-9186
published 2024-11-14

CVE-2024-9186: The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and…

PriorityP263high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
2.24%
80.6th percentile
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Affected

1 ranges
VendorProductVersion rangeFixed in
funnelkitfunnelkit_automations< 3.3.03.3.0

Detection & IOCsextracted from sources · hover to see the quote

otherbwfan-track-id
sigma
title: CVE-2024-9186 FunnelKit SQL Injection via bwfan-track-id
id: <UNKNOWN>
status: experimental
description: Detects unauthenticated SQL injection attempts targeting the bwfan-track-id parameter in the FunnelKit/Autonami WordPress plugin before 3.3.0
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2024-9186
tags:
  - cve.2024-9186
logsource:
  category: webserver
detection:
  selection:
    cs-uri-query|contains: 'bwfan-track-id'
  condition: selection
snort
alert http any any -> any any (msg:"CVE-2024-9186 FunnelKit bwfan-track-id SQLi"; flow:established,to_server; content:"bwfan-track-id"; http_uri; sid:20249186; rev:1;)
  • Monitor HTTP requests containing the 'bwfan-track-id' parameter for SQL injection payloads (e.g., quotes, UNION, SELECT, sleep/benchmark functions); the vulnerability is unauthenticated, so no session cookie is required.
  • The Nuclei/community template for this CVE checks for HTTP 200 status code responses when probing the vulnerable endpoint; a 200 response to a crafted bwfan-track-id request may indicate a vulnerable and exploitable instance.
  • The digest signature present in the detection template can be used to fingerprint the specific Nuclei template file associated with CVE-2024-9186 exploitation tooling.
  • ·The vulnerability affects plugin versions before 3.3.0; instances running 3.3.0 or later are patched and should not be vulnerable.
  • ·Exploitation requires no authentication, meaning any unauthenticated HTTP request carrying a malicious bwfan-track-id value can trigger the SQL injection; perimeter controls blocking unauthenticated POST/GET to this parameter are a viable compensating control.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.