Overview
This article details a Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66067, affecting the FunnelKit Funnel Builder plugin for WordPress. Specifically, it’s a DOM-Based XSS vulnerability, meaning the malicious script is executed within the user’s browser rather than being directly injected into the server’s response. This vulnerability impacts versions of Funnel Builder by FunnelKit up to and including 3.13.1.2.
Technical Details
CVE-2025-66067 is a DOM-Based XSS vulnerability. This means that the FunnelKit Funnel Builder plugin improperly neutralizes user-controlled input during web page generation. An attacker could craft a malicious URL or inject code into a page element that, when accessed by a user, executes arbitrary JavaScript code within their browser. This is achieved because the plugin does not properly sanitize or encode data before it’s rendered on the client-side.
The vulnerability resides within the plugin’s JavaScript code, where it processes parameters or data from the URL or other client-side sources without proper sanitization. This unsanitized data is then used to modify the Document Object Model (DOM) of the page, leading to the execution of malicious scripts.
CVSS Analysis
Currently, the CVSS score for CVE-2025-66067 is marked as N/A. This indicates that a formal CVSS score hasn’t been calculated or made available at the time of publication. However, XSS vulnerabilities can still pose a significant risk, and the lack of a score should not be interpreted as an indication of low severity. The impact highly depends on the privileges of the targeted user.
Possible Impact
The exploitation of this XSS vulnerability could lead to several adverse outcomes:
- Account Takeover: An attacker could steal a user’s session cookie and gain unauthorized access to their account.
- Malware Distribution: Malicious scripts could redirect users to websites hosting malware or attempt to install malware directly.
- Defacement: The attacker could alter the content of the website, displaying misleading or harmful information.
- Data Theft: Sensitive data, such as personal information or financial details, could be stolen from the user’s browser.
- Phishing: The attacker could create fake login forms to steal user credentials.
Mitigation and Patch Steps
The primary mitigation step is to update the FunnelKit Funnel Builder plugin to the latest version. Ensure that the version is higher than 3.13.1.2, as this version is known to be vulnerable. Check the WordPress plugin repository for updates.
While waiting for an official update, consider implementing the following temporary measures:
- Web Application Firewall (WAF): Deploy a WAF with rules that can detect and block XSS attacks.
- Input Validation: Implement strict input validation and sanitization for all user-supplied data. This can be complex without modifying the plugin code.
- Content Security Policy (CSP): Implement a strict CSP to limit the sources from which the browser is allowed to load resources, mitigating the impact of injected scripts. This requires technical expertise.
