CVE-2025-10567
📋 TL;DR
This vulnerability allows attackers to conduct reflected cross-site scripting (XSS) attacks against logged-in WordPress users through the FunnelKit plugin. Attackers can inject malicious scripts via checkout-related AJAX actions that are not properly sanitized. WordPress sites using vulnerable versions of FunnelKit are affected.
💻 Affected Systems
- FunnelKit for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over admin accounts, install backdoors, or redirect users to malicious sites.
Likely Case
Attackers could steal user session cookies, perform actions on behalf of logged-in users, or deface checkout pages.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts.
🎯 Exploit Status
Exploitation requires tricking a logged-in user to click a malicious link. The vulnerability is in AJAX endpoints that echo unsanitized user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.12.0.1
Vendor Advisory: https://wpscan.com/vulnerability/c7536b0c-3bce-449d-937e-b0195990110a/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find FunnelKit and click 'Update Now'. 4. Verify version is 3.12.0.1 or later.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allTemporarily disable the specific checkout-related AJAX actions until patching is possible.
Add to theme's functions.php: remove_action('wp_ajax_funnelkit_checkout_action', 'vulnerable_function');
Add to theme's functions.php: remove_action('wp_ajax_nopriv_funnelkit_checkout_action', 'vulnerable_function');
Implement WAF rules
allAdd web application firewall rules to block XSS payloads in AJAX requests.
ModSecurity rule: SecRule ARGS "<script" "id:1001,phase:2,deny,status:403,msg:'XSS Attempt'"
Cloudflare WAF: Enable XSS protection rules
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Disable the FunnelKit plugin entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > FunnelKit version. If version is below 3.12.0.1, the site is vulnerable.Check Version:
wp plugin list --name=funnelkit --field=versionVerify Fix Applied:
After updating, verify FunnelKit version shows 3.12.0.1 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with script tags in parameters
- Multiple 403 errors from WAF blocking XSS attempts
Network Indicators:
- HTTP requests containing <script> tags in query parameters or POST data to AJAX endpoints
- Unusual redirects from checkout pages
SIEM Query:
source="web_server" AND (url="*admin-ajax.php*" AND (param="*<script*" OR param="*javascript:*"))