Funnel Builder 3.15.0.3 security update
Security Patch Release
Summary
Hide ▲
Show ▼
FunnelKit released Funnel Builder 3.15.0.3 to fix an actively exploited flaw affecting WordPress/WooCommerce checkout pages, closing a path that could inject malicious JavaScript. The bug affected all versions before 3.15.0.3 and was exploitable without authentication. Site owners should update from the WordPress dashboard and review External Scripts for any rogue entries.
Related Happenings
PushEngage hit by cyberattack
Incident
H score93
First: 15.06.2026 12:59
Last: 15.06.2026 12:59
Sources 1
About this happening:
**Awesome Motive**'s **WordPress plugin** delivery paths for **OptinMonster**, **TrustPulse**, and **PushEngage** were hit in a **CDN supply-chain incident** after attackers stole...
PushEngage hit by cyberattack
IncidentAbout this happening: **Awesome Motive**'s **WordPress plugin** delivery paths for **OptinMonster**, **TrustPulse**, and **PushEngage** were hit in a **CDN supply-chain incident** after attackers stole...
Latest development: 15.06.2026 20:37
Awesome Motive remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key, after attackers exploited a known UpdraftPlus flaw to steal CDN account credentials from a server in its environment and modify JavaScript served from the company's CDN. The company says its application servers, source code, and systems storing OptinMonster and TrustPulse account information were hosted separately and were not breached.
PushEngage, OptinMonster, and TrustPulse CDN script-tampering campaign
Campaign
H score89
First: 15.06.2026 12:59
Last: 15.06.2026 12:59
Sources 1
About this happening:
A **multi-plugin supply-chain campaign** targeted **Awesome Motive** WordPress plugins **OptinMonster**, **TrustPulse**, and **PushEngage**, with malicious JavaScript delivered th...
PushEngage, OptinMonster, and TrustPulse CDN script-tampering campaign
CampaignAbout this happening: A **multi-plugin supply-chain campaign** targeted **Awesome Motive** WordPress plugins **OptinMonster**, **TrustPulse**, and **PushEngage**, with malicious JavaScript delivered th...
Latest development: 15.06.2026 20:37
Awesome Motive said a server in its environment was compromised after exploitation of a known UpdraftPlus WordPress plugin flaw, allowing attackers to steal the CDN API key for a marketing website and modify JavaScript distributed through the company’s CDN. The company remediated the marketing site, moved it to a new server, and rotated all credentials, including the CDN API key, while stating that its application servers, source code, and account-data systems were not breached.
Funnel Builder security patch release (version 3.15.0.3)
Security Patch Release
H score77
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
Funnel Builder security patch release (version 3.15.0.3)
Security Patch ReleaseAbout this happening: **FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
Payment iframe defense against malicious overlays on checkout pages
Defensive Guidance
H score20
First: 24.09.2025 14:03
Last: 24.09.2025 14:03
Sources 1
About this happening:
Attackers are actively abusing **payment iframes** on **checkout pages** with **malicious overlays**, making **strict CSP** and **real-time monitoring** essential to prevent card...
Payment iframe defense against malicious overlays on checkout pages
Defensive GuidanceAbout this happening: Attackers are actively abusing **payment iframes** on **checkout pages** with **malicious overlays**, making **strict CSP** and **real-time monitoring** essential to prevent card...
Timeline
-
15.05.2026 22:30 2 articles · 1mo ago
FunnelKit releases Funnel Builder 3.15.0.3
Mitigation Patch UpdateFunnelKit releases Funnel Builder 3.15.0.3 to fix a critical unauthenticated script-injection flaw in the WordPress plugin used for WooCommerce checkout pages. The bug affects all versions before 3.15.0.3, and site owners are advised to update from the WordPress dashboard and review Settings > Checkout > External Scripts for rogue entries.
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
-
15.05.2026 22:30 1 articles · 1mo ago
Sansec reports active exploitation of Funnel Builder
Initial DisclosureSansec reports that the Funnel Builder WordPress plugin used by WooCommerce sites is being actively exploited to inject malicious JavaScript into checkout pages. The payload analytics-reports[.]com/wss/jquery-lib.js impersonates Google Tag Manager and Google Analytics, opens a WebSocket to wss://protect-wss[.]com/ws, and delivers a customized payment card skimmer that steals credit card numbers, CVVs, billing addresses, and other customer information.
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30