CVE-2025-66067

The Funnel Builder by FunnelKit plugin for WordPress, versions 3.13.1.2 and earlier, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject malicious scripts into the page's DOM [1].

To exploit this vulnerability, an attacker must convince a user with appropriate privileges (such as a site administrator) to perform an action—such as clicking a malicious link, visiting a crafted page, or submitting a form—that triggers the script injection. This requirement for user interaction reduces the attack's automation potential but still poses a risk in social engineering scenarios [1].

If successfully exploited, an attacker could inject arbitrary HTML and JavaScript payloads, which would execute in the context of the victim's browser when they visit the affected site. This could be used to perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive session information [1]. Although the vulnerability is classified with a medium severity (CVSS 6.5), it is considered unlikely to be exploited in widespread campaigns, but immediate action is still advised [1].

The vendor has released version 3.13.1.3, which patches the vulnerability. Users are strongly recommended to update to this version or later. For those unable to update immediately, applying a web application firewall rule or restricting plugin functionality may serve as temporary mitigations. Patchstack users can enable auto-updates for vulnerable plugins to simplify the remediation process [1].