Security
FunnelKit Vulnerability: 30k Shops at Risk of Data Theft
By Steven | TrustYourWebsite2 min read
Source: Security.NL
Security company Sansec is warning that criminals are actively exploiting a vulnerability in the WordPress plugin FunnelKit to steal credit card data from WooCommerce-based webshops. According to Security.NL, which reported on this on 18 May 2026, almost 30,000 webshops have not yet installed the available security patch and remain at risk.
What is FunnelKit?
FunnelKit is a plugin used on top of WooCommerce, the popular tool that turns a WordPress website into an online shop. According to Security.NL, FunnelKit is active on more than 40,000 webshops. Note that WooCommerce itself is not described as vulnerable here. The issue is specific to FunnelKit.
How does the attack work?
According to Sansec, as cited by Security.NL, the vulnerability allows attackers to inject malicious scripts onto the payment page of an affected webshop. When a customer enters their credit card details at checkout, the script intercepts that data and sends it directly to the criminals. The customer sees nothing unusual, and the shop owner may have no idea this is happening.
What is the current situation?
A security update, FunnelKit version 3.15.0.3, is available and addresses the vulnerability. According to Security.NL, citing figures from WordPress.org, more than 11,000 webshops had installed the update at the time of reporting. That means approximately 29,000 webshops were still running the vulnerable version and remained at risk as of 18 May 2026.
If you run a WooCommerce webshop and use FunnelKit, checking your plugin version and updating immediately is the most important step you can take right now. You can find practical steps in our security checklist for small businesses and our guide on vulnerable WordPress plugins.
What does this mean for your website?
If your webshop uses FunnelKit, your customers' payment details could be at risk until you update to version 3.15.0.3 or higher. Under UK GDPR and the Data Protection Act 2018, you are responsible for keeping personal data, including payment information, secure, and a breach could require you to report to the ICO. Keeping all your plugins up to date is one of the simplest and most effective ways to protect both your customers and your business.
Check your website now
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkRelated articles
Security
Dutch Gov Invests €5.3M in Cybersecurity for SMEs
The Dutch cabinet is investing €3.7 million in Cybersecurity learning communities to improve digital security for SMEs, bringing the total funding to over €5.3 million when combined with a €1.7…
2 min read
Security
FunnelKit Plugin Vulnerability Steals Payment Data
A critical, unauthenticated vulnerability in the FunnelKit Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject payment card skimmers into WooCommerce…
2 min read
Security
Exim CVE-2026-45185: Remote Code Execution Flaw Fixed
A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS backend allows unauthenticated remote code execution on mail servers, fixed in version 4.99.3.
2 min read