FunnelKit (Funnel Builder) Security Notice
If you received an email from me pointing you to this page, it is because your website
appears to be running a vulnerable version of Funnel Builder by FunnelKit (the WordPress
plugin funnel-builder, also listed as Funnel Builder for WooCommerce Checkout). This page
explains why that matters and how to fix it.
This notice concerns CVE-2026-47100, a critical, actively exploited flaw (CVSS 8.7) that lets an attacker inject their own JavaScript into your checkout pages without logging in. It affects all versions before 3.15.0.3 and is fixed in 3.15.0.3. If you are running an affected version, update Funnel Builder to 3.15.0.3 or later as soon as possible. Because this flaw is being exploited to steal payment-card details, you should also check your checkout for injected code (see If you were on an affected version below).
This is a plugin flaw, not a WordPress core flaw. A fully up-to-date WordPress and WooCommerce do not protect you if the Funnel Builder plugin itself is out of date.
Is this message legitimate?
Yes. This is a good-faith, responsible-disclosure notice from an independent security researcher. I am not asking you for money, passwords, or access to your site, and I have not attempted to break into it, upload anything, or exploit anything.
All I did was look at publicly visible files that your website serves to every visitor
(the same way your homepage is public) and note the version number that the Funnel Builder
plugin publishes in those files: its public readme.txt and the version tag WordPress
stamps on the plugin’s front-end assets. I specifically did not touch the vulnerable
checkout feature, and nothing about this check touches your data, your admin area, or any
private part of your site.
If you would like to verify who I am, see the contact details at the bottom of this page and the About page.
Why this matters
Funnel Builder by FunnelKit is a widely used sales-funnel and checkout plugin for WooCommerce stores. In affected versions, a public checkout endpoint can be reached without logging in and without any security token, and it can be used to write the plugin’s global “External Scripts” setting, the setting that injects scripts into every checkout page. That combination lets a remote attacker place their own JavaScript on your checkout, where your customers type their name, address, and payment-card details.
This is the classic web-skimming / Magecart pattern: the injected script quietly copies what shoppers enter and sends it to the attacker, while your checkout keeps working normally so nothing looks wrong. Security firm Sansec reports this flaw being actively exploited in the wild, with the skimming code often disguised as Google Tag Manager or an analytics snippet so it blends in.
The flaw was scored 8.7 out of 10 (high severity). If my email cited this issue, it means the version your site reports falls within the affected range. I did not test whether your particular site is exploitable or already compromised, only that it reports an affected version.
The good news: updating to a fixed version closes the hole, and the update is straightforward.
How to check your version
You do not have to take my word for which version you are running.
From the public manifest (no login needed): open
yourdomain.com/wp-content/plugins/funnel-builder/readme.txt in a browser. The
Stable tag: line near the top is the version your Funnel Builder install reports, and
this is the same public file I read.
From the WordPress admin area (if you have access):
- Log in to your WordPress dashboard (usually at
yourdomain.com/wp-admin). - Go to Plugins then Installed Plugins.
- Find Funnel Builder (it may appear as Funnel Builder for WooCommerce or FunnelKit) and note the version shown beneath its name.
If the version is anything below 3.15.0.3, you are on an affected version and should update. 3.15.0.3 and later are fixed.
How to upgrade
The safest path is to update through WordPress itself, and to back up first:
- Back up your site (files and database) before making changes. Most hosting providers offer one-click backups, or use a WordPress backup plugin.
- In the WordPress admin, go to Dashboard then Updates, or Plugins then Installed Plugins. If a Funnel Builder update is listed, install it from here.
- If no update appears, you can get the latest release directly from the plugin’s page on the WordPress.org directory, Funnel Builder by FunnelKit, and update via Plugins then Add New Plugin then Upload Plugin.
- After updating, confirm the new version number (3.15.0.3 or later) using the steps above, and check that your checkout loads and completes a test order normally.
While you are in there, it is worth confirming that WordPress core, WooCommerce, and your other plugins are up to date, since the same principle applies to all of them.
If you were on an affected version
Because this flaw is being exploited to plant payment-skimming scripts, a store that ran an affected version should not assume that simply updating is enough. The update removes the vulnerability, but it does not remove any script an attacker may have already injected. You (or your webmaster) should check for that on your own site:
- Review the plugin’s “External Scripts” setting. In the FunnelKit / Funnel Builder settings, look at any global header/footer or “External Scripts” entries that apply to your checkout, and remove anything you did not add yourself, especially a script that claims to be Google Tag Manager, analytics, or a pixel but that you did not configure.
- View the source of a checkout page. Load your own checkout in a browser, view the page
source, and look for any external
<script>you do not recognize, particularly ones loading from an unfamiliar domain. Skimmers are designed to look like ordinary analytics. - Watch for fraud signals. An unexplained rise in customer reports of card fraud after ordering from you is a strong indicator that a skimmer was active.
If you find injected code, treat the store as compromised: remove the rogue script, rotate your credentials (WordPress admin, database, hosting panel, and any payment-gateway API keys), and, because customer card data may have been exposed, notify your payment processor and follow their guidance, which may include customer-notification obligations under PCI-DSS or local law. As a precaution, also review your administrator accounts for any you do not recognize. If your organization has an IT security team, loop them in.
I want to be clear: I have not checked your site for any of these indicators, and I do not know whether your site was affected. This list is here so you can check for yourself.
I do not have a webmaster / I am stuck
If you are not the person who maintains the site, please forward this page to whoever does (your web developer, agency, or hosting provider). They will recognize the steps above quickly.
If you are maintaining the site yourself and get stuck, I am happy to help point you in the right direction at no cost. Reach out using the contact details below.
Contact
Evan Harris, Security Researcher
- Email: security@mail.mcpsec.dev
- X: @Evan__Harris
- GitHub: eharris128
- LinkedIn: Evan Harris
I reach out about issues like this purely to help operators secure their sites. If you would prefer not to be contacted again, just let me know and I will honor that.
References
Official advisories and tracking
Vendor / plugin
Reporting and analysis