CVE-2025-10567 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the FunnelKit WordPress plugin, affecting all versions before 3.12.0.1. The vulnerability stems from the plugin's failure to sanitize user-supplied input before reflecting it in the output of certain checkout-related AJAX actions. This improper input handling allows attackers to craft malicious URLs or requests that, when visited or triggered by authenticated users, execute arbitrary JavaScript in their browsers. Since the vulnerability targets logged-in users, attackers can leverage it to hijack sessions, steal cookies, perform actions on behalf of the victim, or deliver further malware payloads. The CVSS 3.1 base score of 6.3 reflects a medium severity, with attack vector being network-based, low attack complexity, no privileges required, but user interaction needed. The scope remains unchanged, and the impact affects confidentiality, integrity, and availability to a limited extent. No public exploits have been reported yet, but the presence of this vulnerability in a widely used WordPress plugin for funnel and checkout management poses a significant risk to websites relying on it for e-commerce or marketing purposes. The vulnerability was reserved in September 2025 and published in November 2025, indicating recent discovery and disclosure. The lack of patch links suggests users should verify plugin updates or vendor advisories to remediate the issue.

For European organizations, especially those operating e-commerce platforms or marketing funnels using WordPress and FunnelKit, this vulnerability can lead to session hijacking, unauthorized actions, and data leakage. Attackers exploiting this reflected XSS can impersonate users, potentially accessing sensitive customer data or manipulating transactions. This undermines user trust and can lead to regulatory repercussions under GDPR if personal data is compromised. The reflected nature of the XSS requires user interaction, typically via phishing or malicious links, increasing the risk of targeted attacks against employees or customers. The impact on availability is limited but could include disruption through malicious script execution. Given the widespread use of WordPress in Europe and the growing reliance on online sales funnels, the vulnerability poses a moderate risk to business continuity and data protection compliance.

Organizations should immediately verify if they are running FunnelKit versions prior to 3.12.0.1 and upgrade to the latest patched version once available. In the absence of an official patch, temporary mitigations include disabling affected AJAX actions or restricting access to authenticated users with minimal privileges. Implementing strict input validation and output encoding on all user inputs related to checkout processes can reduce risk. Deploying Content Security Policy (CSP) headers to restrict script execution sources can mitigate the impact of XSS attacks. Security teams should monitor logs for suspicious AJAX requests and educate users about phishing risks associated with malicious links. Regular vulnerability scanning and penetration testing focused on web application security will help identify residual risks. Additionally, employing Web Application Firewalls (WAFs) with XSS detection rules can provide an additional layer of defense.