CVE-2025-66067 in Funnel Builder Plugin
Summary
by MITRE • 11/21/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows DOM-Based XSS.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.13.1.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/22/2025
This cross-site scripting vulnerability resides within the FunnelKit Funnel Builder plugin, specifically impacting versions up to and including 3.13.1.2. The flaw represents a classic dom-based xss vulnerability where user input is improperly sanitized during web page generation processes. The vulnerability stems from inadequate input validation and output encoding mechanisms that fail to properly neutralize malicious script payloads injected through web requests. This allows attackers to execute arbitrary javascript code within the context of a victim's browser session, potentially compromising user data and system integrity.
The technical implementation of this vulnerability demonstrates a failure in proper input sanitization at the dom level where parameters passed through url fragments or other client-side mechanisms are directly incorporated into dynamic html content without appropriate escaping or encoding. This pattern aligns with common weakness enumerations CWE-79 and CWE-80, which specifically address cross-site scripting vulnerabilities arising from insufficient input validation and output encoding. The attack vector leverages the browser's dom manipulation capabilities to inject malicious scripts that can access cookies, session tokens, or other sensitive information stored in the user's browser environment.
From an operational impact perspective, this vulnerability creates significant security risks for users of the FunnelKit plugin who may unknowingly execute malicious payloads when navigating to compromised pages or clicking on malicious links. The dom-based nature of the vulnerability means that the attack can occur entirely within the browser without requiring server-side modifications or additional infrastructure. Attackers can craft malicious urls that, when visited by authenticated users, execute scripts that steal session cookies, redirect users to phishing sites, or perform unauthorized actions on behalf of the victim. This represents a serious threat to user privacy and system security, particularly in environments where the plugin is used for marketing automation and customer data collection.
Mitigation strategies for this vulnerability should include immediate patching to versions beyond 3.13.1.2 where the xss flaws have been addressed. Organizations should also implement comprehensive input validation and output encoding mechanisms throughout their applications, ensuring that all user-supplied data is properly sanitized before being incorporated into dynamic web content. Security measures should include content security policy implementation to restrict script execution, regular security audits of web applications, and user education about recognizing potentially malicious links. Additionally, implementing web application firewalls and monitoring for suspicious script execution patterns can provide additional layers of protection. The vulnerability underscores the critical importance of maintaining up-to-date software components and following secure coding practices as outlined in owasp top ten and nist cybersecurity frameworks to prevent similar issues from occurring in the future.