CVE-2025-66067 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in Funnel Builder by FunnelKit, a WordPress plugin widely used for creating sales and marketing funnels. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser. This type of XSS is particularly dangerous because it exploits client-side scripts and does not necessarily require server-side code injection. The affected versions include all releases up to and including 3.13.1.2. While no public exploits have been reported yet, the vulnerability could be leveraged by attackers to perform session hijacking, steal cookies or credentials, deface websites, or conduct phishing attacks by manipulating the DOM. The lack of a CVSS score indicates that the vulnerability is newly disclosed, but its characteristics suggest a significant risk. The vulnerability's exploitation requires the victim to visit a crafted URL or interact with malicious content hosted on or linked from the vulnerable site, but does not require prior authentication, increasing its attack surface. Funnel Builder's role in managing user interactions and conversions makes this vulnerability particularly critical for organizations relying on it for customer engagement and data collection.

For European organizations, the impact of this DOM-based XSS vulnerability can be substantial. Exploitation can lead to unauthorized access to user sessions, theft of sensitive customer data, and potential compromise of administrative accounts if session tokens are exposed. This undermines the confidentiality and integrity of user data and can damage organizational reputation, especially in sectors like e-commerce, finance, and digital marketing where Funnel Builder is commonly used. Additionally, regulatory frameworks such as the GDPR impose strict requirements on data protection; a breach resulting from this vulnerability could lead to significant legal and financial penalties. The availability of the affected plugin across many WordPress sites in Europe means a wide attack surface, particularly for organizations that have not yet updated or mitigated the vulnerability. The lack of known exploits in the wild currently provides a window for proactive defense, but the ease of exploitation typical of DOM-based XSS means attackers could quickly develop weaponized payloads.

Organizations should immediately inventory their WordPress environments to identify installations of Funnel Builder by FunnelKit and determine the version in use. Until an official patch is released, implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Employ web application firewalls (WAFs) with rules tailored to detect and block DOM-based XSS payloads targeting Funnel Builder. Review and harden input validation and sanitization routines within custom integrations or extensions of the plugin. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content. Monitor web server logs and user activity for anomalies that may indicate exploitation attempts. Once a patch becomes available, prioritize its deployment in all affected environments. Additionally, consider isolating or restricting access to administrative interfaces of Funnel Builder to trusted networks or VPNs to reduce exposure.