CVE-2025-10567

Description

The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users.

PUBLISHED Reserved 2025-09-16 | Published 2025-11-05 | Updated 2025-11-05 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Credits

Marc Montpas finder

WPScan coordinator

References

wpscan.com/...rability/c7536b0c-3bce-449d-937e-b0195990110a/ exploit vdb-entry technical-description

cve.org (CVE-2025-10567)

nvd.nist.gov (CVE-2025-10567)

Download JSON