CVE-2025-10567 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the FunnelKit WordPress plugin, which is widely used for creating sales funnels and checkout processes. The vulnerability exists because the plugin does not properly sanitize user-supplied input before echoing it back in some of its checkout-related AJAX endpoints. Specifically, when a logged-in user interacts with these AJAX actions, an attacker can craft a malicious URL or request that injects JavaScript code. This code executes in the victim's browser with the privileges of the logged-in user, potentially allowing session hijacking, theft of cookies or credentials, defacement, or unauthorized actions on the website. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS. No CVSS score has been assigned yet, and no public exploits have been reported. However, the vulnerability is publicly disclosed and affects all versions of FunnelKit prior to 3.12.0.1. The flaw is particularly dangerous because it targets logged-in users, who often have elevated privileges or access to sensitive information. The lack of input sanitization in AJAX responses is a common vector for reflected XSS, making this a classic but impactful vulnerability. The plugin’s role in checkout processes means that exploitation could also impact payment workflows or customer data integrity.

For European organizations, the impact of this vulnerability can be significant, especially for e-commerce businesses relying on FunnelKit to manage sales funnels and checkout flows. Exploitation could lead to session hijacking of logged-in users, including administrators or customers, resulting in unauthorized access to sensitive data such as personal information, payment details, or order histories. Attackers could also perform actions on behalf of users, such as changing account settings or initiating fraudulent transactions. This undermines customer trust and could lead to regulatory penalties under GDPR if personal data is compromised. Additionally, successful exploitation could damage brand reputation and cause operational disruptions. Since the vulnerability affects AJAX endpoints, it can be triggered via crafted URLs or requests, increasing the attack surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure. Organizations with high volumes of logged-in user traffic are particularly vulnerable. The impact on availability is minimal, but confidentiality and integrity are at high risk.

To mitigate this vulnerability, organizations should prioritize updating the FunnelKit plugin to version 3.12.0.1 or later once it is released with the fix. Until then, administrators should consider disabling or restricting access to the affected AJAX endpoints if possible. Implementing Web Application Firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting FunnelKit AJAX actions can provide interim protection. Enforcing strict Content Security Policies (CSP) that limit the execution of inline scripts and restrict sources of executable code can reduce the impact of XSS attacks. Additionally, reviewing and hardening user input validation and output encoding practices within the plugin’s codebase is recommended for developers. Monitoring web server logs for suspicious requests to checkout-related AJAX endpoints can help detect exploitation attempts. Educating users about the risks of clicking on untrusted links while logged in can also reduce exposure. Finally, organizations should ensure robust session management and multi-factor authentication to limit the damage from compromised sessions.