Cross-Site Scripting Vulnerability in Funnel Builder by FunnelKit
CVE-2025-66067

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Funnel Builder By Funnelkit
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-66067?

The Funnel Builder by FunnelKit is susceptible to a Cross-Site Scripting (XSS) vulnerability that occurs due to improper handling of user input during web page generation. This flaw allows attackers to inject malicious scripts into the web pages viewed by users, potentially leading to unauthorized actions and data theft. It is critical for users of Funnel Builder to ensure they are using the latest version to mitigate potential exploits.

Affected Version(s)

Funnel Builder by FunnelKit <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/funn...

vdb-entry

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Nov 21, 2025

Credit

zaim | Patchstack Bug Bounty Program

JSON