CVE-2025-49034

2025-07-16 [email protected]
WordPress PHP SQLi

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Funnel Builder by FunnelKit funnel-builder allows SQL Injection.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.10.2.

AnalysisAI

SQL injection in Aman Funnel Builder by FunnelKit WordPress plugin (versions through 3.10.2) allows attackers to execute arbitrary SQL commands against the site database. The vulnerability affects an unspecified function that fails to properly sanitize or parameterize user-supplied input before inclusion in SQL queries. No CVSS score, EPSS probability (0.05%, 15th percentile) indicates low real-world exploitation likelihood at time of analysis, and no active exploitation via CISA KEV or public exploit code has been confirmed.

Technical ContextAI

This SQL injection vulnerability (CWE-89) stems from improper neutralization of special SQL metacharacters in user input. The Aman Funnel Builder by FunnelKit plugin is a WordPress plugin (CPE references WordPress ecosystem) that likely processes user-supplied parameters in funnel configuration, form submissions, or backend queries without parameterized prepared statements or input validation. The vulnerability allows an attacker to break out of the intended SQL query context and inject malicious SQL commands that execute with the database user's privileges, potentially leading to unauthorized data access, modification, or deletion.

Affected ProductsAI

Aman Funnel Builder by FunnelKit WordPress plugin is affected in all versions from an unspecified baseline through and including version 3.10.2. The plugin is distributed via the WordPress plugin repository and is identified by the slug 'funnel-builder.' CPE identification would follow the pattern cpe:2.3:a:funnelkit:funnel-builder:*:*:*:*:*:wordpress:*:* with version constraint <=3.10.2. Patch Stack database reference confirms the affected version range.

RemediationAI

Update Aman Funnel Builder by FunnelKit to a version greater than 3.10.2 immediately; the vendor advisory via Patch Stack (https://patchstack.com/database/Wordpress/Plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-10-2-sql-injection-vulnerability?_s_id=cve) indicates a patched version is available. If an immediate update is not feasible, review and restrict database user permissions for the WordPress application to limit lateral damage from SQL injection exploitation, and implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in request parameters. Monitor database query logs for anomalous activity.

Share

CVE-2025-49034 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy