A high-severity vulnerability has been identified in the FunnelKit - Funnel Builder plugin for WordPress. This flaw, a time-based blind SQL Injection, could allow an unauthenticated attacker to steal sensitive information from the website's database, such as user credentials, customer data, and other confidential business information, by sending specially crafted requests.

The vulnerability is a time-based blind SQL Injection that exists due to insufficient sanitization of user-supplied input in the 'opid' parameter. An attacker can inject malicious SQL queries that include time-delay functions (e.g., SLEEP() or BENCHMARK()). By measuring the server's response time, the attacker can infer the results of the query one character at a time, allowing for the gradual exfiltration of the entire database contents without generating direct error messages.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, compromising sensitive customer information, user credentials, and proprietary business data stored in the database. This could result in severe reputational damage, loss of customer trust, financial loss, and potential regulatory fines under data protection laws like GDPR or CCPA.

Immediate Action: Immediately update the "FunnelKit - Funnel Builder for WooCommerce Checkout" plugin to the latest available version (greater than version 3) to patch the vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface entirely.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious requests targeting the application, specifically looking for SQL keywords like SLEEP, BENCHMARK, UNION, or SELECT within the 'opid' parameter. Monitor database logs for unusually long-running queries, which can be an indicator of a time-based blind SQL injection attack in progress.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust ruleset configured to detect and block SQL injection attacks. Enforce the principle of least privilege for the database user connected to the WordPress application to limit the potential impact of a successful exploit.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the direct risk of a data breach, it is strongly recommended that organizations using the affected plugin apply the vendor-supplied patch immediately. Although this vulnerability is not currently listed on the CISA KEV catalog, the potential for sensitive data exfiltration presents a significant risk that requires urgent attention. A comprehensive review of all installed WordPress plugins should also be conducted to ensure they are necessary, up-to-date, and from reputable sources.