CVE-2025-30631
Unknown Unknown - Not Provided
Reflected XSS in AA-Team WooCommerce Sales Funnel Builder

Publication date: 2026-01-06

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-30631
EUVD
EUVD-2026-0953
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aa-team woocommerce_sales_funnel_builder From 1.0 (inc) to 1.1 (inc)
aa-team amazon_affiliates_addon_for_wpbakery_page_builder From 1.0 (inc) to 1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-30631 is a medium severity Cross Site Scripting (XSS) vulnerability affecting two WordPress plugins: WooCommerce Sales Funnel Builder (up to version 1.1) and Amazon Affiliates Addon for WPBakery Page Builder (up to version 1.2). This vulnerability allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into a website. These scripts execute when visitors access the compromised pages. Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form. There is currently no official patch, but mitigation rules are available to block attacks until a fix is released. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted advertisements, theft of user data, or other malicious actions. Since the attack requires interaction by a privileged user, it could compromise site administrators or users with elevated permissions, potentially leading to broader site compromise or data leakage. The vulnerability has a CVSS score of 7.1, indicating moderate severity. [1, 2]

Mitigation Strategies

Users are advised to apply Patchstack's mitigation rules immediately to block attacks exploiting this vulnerability until an official patch is released. Since no official fix is currently available, applying these mitigation rules is the recommended immediate step to protect your site from reflected XSS attacks targeting the affected plugins. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-30631. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart