| Plugin Name | Funnel Builder by FunnelKit |
|---|---|
| Type of Vulnerability | Reflected XSS |
| CVE Number | CVE-2025-10567 |
| Urgency | Medium |
| CVE Publish Date | 2025-11-09 |
| Source URL | CVE-2025-10567 |
FunnelKit (Funnel Builder) < 3.12.0.1 — Reflected XSS (CVE-2025-10567): What WordPress Site Owners Must Do Now
TL;DR
A reflected Cross‑Site Scripting (XSS) vulnerability (CVE‑2025‑10567) affects Funnel Builder (FunnelKit) versions prior to 3.12.0.1. The flaw is exploitable without authentication and carries a CVSS score of 7.1. The vendor released a fix in 3.12.0.1 — update immediately. If you cannot update at once, apply virtual patching via a WAF, then follow the hardening and incident‑response steps below.
This article is written from the perspective of a Hong Kong security expert. It explains what the vulnerability is, how attackers may abuse it, how to detect exploitation attempts, and the concrete mitigation, hardening, developer and recovery steps you should follow.
Why this matters
Reflected XSS allows attackers to craft links or requests containing malicious HTML/JavaScript that the vulnerable site echoes back unsanitized. When a user clicks such a link, the payload runs in the context of the site and can do anything site JavaScript can: steal session tokens, perform actions as the user, show fake login prompts, inject redirects or ads, or deliver secondary payloads.
This issue is notable because:
- It can be exploited by unauthenticated attackers.
- It affects a widely used funnel builder plugin, often embedded in high-traffic marketing pages.
- CVSS 7.1 indicates substantial potential impact (account compromise, content injection, SEO damage, malware distribution).
- A patch exists (3.12.0.1), but many sites remain unpatched for days or weeks after disclosure.
If you manage WordPress security, treat this as a priority: update, block exploit attempts, and verify site integrity.
What is a reflected XSS (plain language)
Reflected XSS occurs when input from an HTTP request (query string, POST body, form fields, headers) is included in a page response without proper encoding or sanitization. Unlike stored XSS, the malicious code is not persisted on the server — the attacker crafts a URL or form that, when processed, returns the malicious content directly to the victim’s browser.
Real‑world outcomes include:
- Session cookie theft (if cookies aren’t protected by HttpOnly or tokens are exposed to JavaScript).
- Unauthorized browser actions (CSRF‑like outcomes when combined with existing authentication).
- SEO and reputation damage via injected spam or redirect chains.
- Drive‑by downloads or malware delivery through injected scripts.
Technical summary of the FunnelKit vulnerability
- Affected software: Funnel Builder (FunnelKit) WordPress plugin
- Affected versions: any release prior to 3.12.0.1
- Fixed in: 3.12.0.1
- Type: Reflected Cross‑Site Scripting (XSS)
- Privileges required: Unauthenticated
- CVE: CVE‑2025‑10567
- Reported: November 2025
- Researcher credited: independent security disclosure
The flaw involves an endpoint or template that reflects user input (URL parameter or form field) into the HTML response without escaping. An attacker constructs a URL with an HTML/JS payload which the site returns to the victim. The attacker‑supplied content executes under the site origin in the victim’s browser, bypassing same‑origin protections for that session.
Note: No exploit payloads are published here to avoid enabling attackers. The guidance focuses on safe detection, mitigation, and developer fixes.
Immediate actions (first 24 hours)
-
Update the plugin
Log into WordPress admin → Plugins → update Funnel Builder / FunnelKit to version 3.12.0.1 or later.
If you use CLI, from the site root (when safe):
wp plugin update funnel-builder --version=3.12.0.1Check your plugin slug — the command above is illustrative.
-
If update is not possible immediately, enable virtual patching / WAF rules
Apply WAF rules that block reflected XSS patterns aimed at the plugin’s known endpoints. Virtual patching buys time while you test and schedule the update.
-
Scan your site
Run a full malware and file‑integrity scan. Focus on public pages where input is reflected and on template files that render plugin content. Check for injected scripts or unexpected inline event handlers, especially on landing and funnel pages.
-
Backup
Take a fresh backup (files and database) before making changes. If the site is already compromised, take a forensic snapshot first.
-
Monitor logs and block suspicious traffic
Look for suspicious query strings, encoded payloads, or traffic to funnel pages containing script-like patterns. Rate‑limit and block IPs with repeated attempts.
-
Rotate credentials if you see evidence of compromise
If you detect active compromise (new admin users, unexpected scheduled tasks), change admin passwords and rotate any exposed API keys.
How a managed WAF and monitoring can help (plain terms)
If you use a managed WAF or deploy tuned WAF rules, these protections can:
- Block common reflected XSS payloads and requests targeting known vulnerable endpoints (virtual patching).
- Implement contextual filtering for specific plugin endpoints to reduce false positives.
- Rate‑limit and filter bot traffic to reduce noisy scanning and exploitation attempts.
- Provide logging and alerts with payload and source IP data to support incident response and forensic analysis.
- Detect injected JavaScript fragments and help identify post‑exploit artifacts.
Choose a provider or toolset that allows rapid rule deployment and safe logging for incident review. If you do not have a managed provider, consider temporary, targeted WAF rules deployed by your hosting provider or network edge device.
Detection: how to spot exploit attempts and indicators of compromise
Look for these signs in logs, site pages and user reports:
