If you run a WordPress site using Funnel Builder from FunnelKit to power checkout funnels, a critical vulnerability has been reported that attackers are actively exploiting in the wild. Here’s what happened and what you can do right now to stay safe.
What happened
Security researchers flagged a vulnerability in the Funnel Builder plugin for WordPress that could allow attackers to inject malicious JavaScript into the checkout flow. This could enable theft of payment data from checkout pages. FunnelKit has released a fix in version 3.15.0.3. The issue has seen active exploitation in the wild, so applying the patch is important.
Why it matters
For small businesses and creators, a compromised checkout can mean stolen card details and damaged customer trust. If you’re managing an online shop, even a single breach can hurt revenue and visitor confidence. Keeping WordPress plugins up to date is the first line of defense, and staying informed about active exploits helps you prioritize updates.
Practical steps you can take now
- Update the plugin — upgrade Funnel Builder to version 3.15.0.3 or newer. If your site uses a managed hosting environment, contact your provider to apply the patch for you.
- If you can’t patch yet — temporarily disable the Funnel Builder plugin to stop exploitation while you test the patch.
- Audit your checkout pages — look for unexpected or inline JavaScript injected into the checkout flow. If you’re unsure, ask your developer or run a content security policy (CSP) and monitor for anomalies.
- Boost monitoring — enable a Web Application Firewall (WAF) rule or a security plugin that flags anomalous checkout activity and unusual outbound requests.
- Prepare for incidents — ensure you have recent backups and a tested recovery plan. Review access for admin accounts and rotate credentials if needed.
- Review data protection practices — verify PCI DSS requirements, consider reissuing API keys, and monitor for payment processor alerts.
Final thought
Keeping plugins up to date is one of the simplest, most effective cybersecurity habits for small businesses and creators. If you’re affected, act quickly, test patches in a staging environment, and validate that checkout flows are clean after updates. Stay tuned to official advisories from FunnelKit and your payment processor for further guidance.